Seven lessons learned from the Gawker and McDonalds hack attacks
Email addresses and passwords for millions of Gawker and McDonalds fans have been exposed -- and yours may be among them.
Hack attacks are on the rise. And even if you're not the immediate target, you could still end up a victim.
Fans of artery-clogging fast food and snarky online gossip learned this the hard way last weekend, thanks to hack attacks that took down McDonald's and Gawker.
If you've signed up for updates from Mayor McCheese or ever waded into the cat fights at Gawker and its subsidiary sites, then hackers now have your email address and your password. Nice, eh?
Over the weekend Gawker got totally pwned by a hacker group calling itself Gnosis. Contrary to some published reports, Gnosis is not affiliated with the Anonymous/4channers who've been DDoSing sites on behalf of WikiLeaks. But it apparently saw them as kindred spirits; so when Gawker writers began chiding the 4channers online, Gnosis decided to wreak revenge.
Among other things, Gnosis completely took over Gawker's content management system and posted bogus stories on the site. They also hacked Gawker's databases; included in the trove were the email addresses and log ons for every Gawker employee, along with those for 1.2 million readers who'd commented on one of Gawker's sites. Gnosis decrypted about 200,000 of the addresses and posted the rest on Torrent sites for anyone to download and decrypt. They also parsed out a select list of government email addresses and passwords, apparently for use in future attacks.
[ See also: Will Anonymous target Facebook Next? ]
McDonalds per se didn't get hacked; instead, it was a third party hired to handle its email promotions that got nailed. The booty there included names, contact info, and birthdays for an undisclosed number of Mickey D's customers.
Even if you don't give a damn about Gawker or McSlurries and have never visited either site, there are lessons you can garner that apply across the Web. And the biggest ones have to do with how you choose and use passwords and log ons.
1. Segregate your passwords. Unless you use a password vault like those from Billeo, Roboforms, or MyOneLogin, it's impossible to choose a unique and hard-to-guess password for every friggin' site with a log in screen. In fact, the average Internet user has to remember 156 passwords, according to Billeo. So you need to pick your spots -- don't use the same password for logging into a blog's comments field as you would for logging into your bank, for example. Use a common password for the accounts where you don't give a damn, and unique ones for everything that matters.
Personally, if somebody got my Gawker log in and started posting stupid things in my name it would not be a good thing, but it wouldn't be the end of the world either. (It also wouldn't be the first time that, ahem, stupid comments were associated with my name.) If someone got my banking log-on, though, that would entirely suck.
So if you've been using the same passwords for everything, it's time to change the important ones. Do it now; I'll wait.
2. Use obscure user names. Some sites require you to enter your email address as your log on, which is both easier to remember and easier to hack. If you have the option to use a username, pick that instead. It may still be associated with your email address in the hacked company's database, but it's one less clue to your identity on other sites.
3. Use 'disposable' email addresses. Free email addresses are plentiful and, well, free. There's no reason to use your personal or business email address to register for a site (or in most cases, your real name). This will also cut down on the amount of spam in your inbox.
4. Use Facebook Connect. Though I am leery of giving too much information to the world's largest social network, using its Connect service to log on could protect you from future hacks. In its FAQ about the hack attack, Gawker notes that it does not store log on info for those who sign on via Facebook Connect. With other sites your mileage may vary.
5. Don't assume any site is secure. You'd be amazed at the number of Web sites that can be hacked by rudimentary methods. The main reason they're not is because nobody cares enough to do it (or they have been and you just haven't heard about it). Security through obscurity is still the primary way most non-commerce sites survive.
6. Don't make yourself a target. Apparently, the kids at Gawker never heard that old Jim Croce song: You don't tug on Superman's cape, you don't spit into the wind, you don't give Stone Cold Steve Austin a wedgie and you don't call out 4chan. Stupid, stupid, stupid.
7. Keep an eye out for scams. The main threats from data leaks like this are identity theft and social engineering. Someone is going to use this information to pretend to be you, or they'll use it to pretend to be someone you know so they can extract more information from you -- and then pretend to be you. The ultimate aim is almost always gaining access to sensitive accounts like online banks or large Web sites.
The other side effect: More spam. The compromised Gawker Twitter account has already been used to distribute "acai berry" spam.
McDonald's has set up a toll free line (800-244-6227) for people who get contacted by scammers as a result of the breach. Gawker says it will send out an email to its registered users urging them to change passwords and will, eventually, allow them to delete their accounts (like that's going to do any good now).
Have you changed your passwords yet?