Gawker, which hosts Gawker, Jezebel, Lifehacker, Gizmodo, Deadspin, Kotaku, Fleshbot, I09 and Jalopnik, has been hacked and all the user account passwords may be compromised. Here’s a FAQ on the situation. If you have a Gawker commenting account and you use the same password for other accounts, it may be smart to change that password elsewhere.
I’ve never understood why sites expect users to go through a username/password signup just to make a comment. I much prefer the way we do it here.
Omnes Omnibus
What the hell is fleshbot or don’t I want to know?
Rooker
“I’ve never understood why…”
Because of the mistaken belief that all anonymous commenters are trolls and that making them to use a fake name and throwaway email address somehow makes them all vanish. Playing out that fantasy is easier than doing any moderating.
stuckinred
@Omnes Omnibus: It is what you think it is!
mk3872
However, having more control over user accounts would allow you to disable Firebaggers from commenting
El Tiburon
And how.
Fleshbot? Yeah, I’ve never heard of it either. Be back in 45 seconds, though.
tBoy
I keep a small database of user names and passwords over the years – business websites, places I’ve bought stuff, blog sites, … Up to 295 separate rows.
Linda Featheringill
I like the no-sign-up comment system.
I understand newspapers wanting to harvest a bit of information from you for their advertisers, but the other sites? Not so much.
Besides, going through all of that sign-up nonsense kills the mood and puts a damper on the whole interaction.
[And I’m not going to look into fleshbot, either.]
Rob
My guess is that there was some paper by some consultant somewhere that said Username/password accounts leads to stickiness.
debit
I had a user ID on Kotaku and just reset my twitter and e-mail password. I don’t appear to have spammed anyone on twitter.
mistermix
WRT Fleshbot: Gawker doesn’t like to own up to the fact that they run a porn site, so it isn’t on their list of affiliates and they don’t mention it much.
Ash Can
@mk3872: I disagree with this. They can be very therapeutic when you’re in a grouchy mood and feel like pushing some shmucks around.
stuckinred
@mistermix: You got’s to gives the peoples what they wants.
Omnes Omnibus
@stuckinred: Robot pr0n? Instapundit’s fav site?
Woodrow "asim" Jarvis Hill
If you don’t recall if you have an account with them or not, and want a simpler (but still not easy) way to check, go to this Google Doc, and follow the instructions. Remember you have to convert your email to what’s called an MD5 hash, and use that hash to search that online spreadsheet.
(h/t this comment on Metafilter).
Punchy
Some site named “Lifehacker” got hacked? Oh, the irony.
scarshapedstar
It’s worse than you think, because you have to go through a “trial phase” where every comment you make has to be approved, meaning that none of them will show up until a week later and nobody ever reads them. There’s not like a quota, rather one of the writers has to deem you worthy of the awe-inspiring privilege of being an Official Gawker Commenter.
Basically, it works like your typical Stalinist wingnut cheerleading section; you have to agree with whatever the authors say. So it’s just another slap in the face that they let someone steal all of their precious accounts.
Hopefully 4chan takes credit for it.
J.W. Hamner
I can see the argument for usernames and passwords… that it makes pseudonymity a little stronger and the people who can’t be bothered to make them up probably won’t contribute much… but in practice it doesn’t seem to make much difference in my experience.
stuckinred
@Omnes Omnibus: virtual chinese nookie factory, I just googled it to see what was up
Ross Hershberger
@tBoy:
On paper, I hope. If someone gets into your computer they’ll immediately look for that and basically be you. Bank accounts and all.
Poopyman
@stuckinred: Chinese? You mean we’re down to offshoring this too?
The end of an empire, indeed.
D. Aristophanes
They do it because they want user information that they can package for advertisers.
Keith G
@stuckinred:
The Peoples’ Repubic?
amorphous
@scarshapedstar: This is no longer required, though it was previously.
Rosalita
They want you to sign up and then if your comments are witty enough they might let you comment. Not worth the hassle.
Woodrow "asim" Jarvis Hill
@Ross Hershberger: There are excellent tools out there for tracking passwords and logins, such as Keeppass and Lastpass. Using those makes it a damned sight easier to track down these accounts, and ensure you’re using the right passwords for them. They also come with better encryption than most spreadsheet-based lists.
teresa_m
I find this interesting, and learned of it yesterday morning so I changed my GawkerMedia account info immediately. But what is interesting is watching a full blown hacker cyber war unfold. /b members are working their behinds off to find out who jester is to expose him, he and others are warring with /b, who usually just pick on people who throw puppies and kittens away or their biggest efforts that used to be to attack Scientology, but this wikileaks thing has lead to an all out hacker war. It seems like the wild west survives, it has just been reincarnated in the form of hackers. And they do see themselves as the ones who ultimately own and direct the internet. jester has a blog of his own, and he is fun to read.
Oh and I think Gawker does this so users don’t have to have killfiles and yet trolls are everywhere, but the system does seem to limit the number of trolls participating at Gawker Media sites.
Ross Hershberger
I was a mainframer from about 1980 – 2001. The biggest mistake people made was to use the same PW for a bunch of different things. The system with the weakest security is then the gateway through all of them. Cheeseburger Network gets hacked and all of a sudden your BOA account is mysteriously empty.
Catsy
And I generally don’t. I’m one of those people the site statistics never really account for when webmasters are trying to figure out whether or not their latest attack of the clevers is helping traffic or not, because as soon as I hit a registration requirement I just back out and go somewhere else to do something else–permanently.
There are rare exceptions.
Will
@scarshapedstar:
Which means that a large amount of their “accounts” are people who signed up thinking they could add a quick comment to one of the posts, and then found out it would take forever to get through their “trial phase”, so they never went back. And now their information has been stolen.
TrishB
PSA addendum: If you have a Gawker account, change your email password even if it is not the same as your Gawker account password. I comment at I09 infrequently, but it seemed a little to close for coincidence that I was locked out of my Google accounts this morning due to “suspicious activity.”
Pongo
I got banned from commenting on Gawker a while back and have zero idea why. I thought about challenging it, but since I post to lots of forums and this is the only one where I’ve ever had an issue, I decided the problem was most likely theirs and not mine and just quit going to the site. Lots of other options for good interaction that don’t take themselves quite so seriously.
Tonal Crow
Storing passwords as plaintext is security malpractice.
That is all.
Jonathan Dough
They must have left the password list in a beer garden.
Jay in Oregon
@Ross Hershberger:
I use an application called 1Password for that; it keeps them encrypted until I put in the master password (which I don’t use ANYWHERE else), then it can auto-fill the username-password dialog for me.
Unfortunately, I have a habit of using one or two passwords for one-shot accounts on various blogs/comment forums, and I don’t remember which one I used on Lifehacker. So if I don’t want to be spamming other peoples’ blogs, I’d better go through and change all of them… *grumble*
ACS
I actually like the Gawker commenting system, although it might be influenced by the fact that I’m just a reader and not a commenter. It would never work for sites with a serious focus like politics, but for places where comments are mainly for the lulz, it’s great. Ever read a post where 99% of the comments are smart and/or hilarious and you don’t have to wade through 400 of them?
As I mentioned though, I only read and don’t comment, and I mostly read Deadspin and occasionally Gawker. I don’t go to any of the more serious sites on their network, so maybe it doesn’t work as well for places where your opinion on things actually matters.
PeakVT
On the plus side, registration prevents nickjacks, and reduces drivebys and sockpuppets. A big site’s comments are totally useless if it doesn’t have registration. Look at Clusterfuckstock, for instance.
Cris
User credentials really do have merit; for one thing, they cross the bridge between anonymity and pseudonymity. But there’s a huge difference between a site that collects genuinely personal and confidential information (banks) and one that simply tries to establish a consistent user identity.
Jeff Atwood has blogged about this a lot. He’s right: there are no perfect solutions yet, but the OpenID model is a very promising start. Let users establish their identity once, in a well-known and trusted location (Facebook, Yahoo, Google, etc) and have ancillary sites communicate with that central point.
Tonal Crow
@Cris:
I’m not happy with the idea that Google et al could then use the single identity to determine that I am commenting as x on site X, y on site Y, and z on site Z. Or to force me to use a single identity on X, Y and Z. Or to use my IP address/email address to infer that multiple “Open IDs” all represent me.
Which, of course, also implies that Facebook, Google, and Yahoo don’t appear on my list of “trusted” sites.
Andy K
Because spambots can’t sign up to a site if the process is set up correctly . It takes a real person to type in a captcha word.
My bet is that you’ve never cleaned the spam filter here.
Tonal Crow
@Andy K: CAPTCHAs and username/password signups are orthogonal. You can still eschew accounts while using a per-comment CAPTCHA to filter spambots.
Cris
@Tonal Crow: And part of the glory of OpenID* is that it doesn’t originate exclusively from any of those players. You can host your own OpenID provider if you’re inclined. And sites that implement OpenID correctly will accept your provider as authoritatively as they accept Google.
[*] and please note, I’m not shilling for OpenID proper. It’s their model that is on the right track, and if another protocol comes to the fore, great.
Dave Trowbridge
You can check to see if your username or email address have been compromised on any of the sites involved here.