Hack attack on Gawker spawns Twitter spam

Man measuring his waist Spammers have used the stolen account information to send tweets promoting diet pills

Related Stories

An attack on online gossip site Gawker Media has enabled spammers to take over thousands of Twitter accounts.

Gawker said on Sunday its servers had been hacked and 1.3 million user account passwords compromised.

A file containing those details was then published on a file-sharing site by a group allied to the notorious image board 4Chan.

That enabled spammers to break into thousands of Twitter accounts where users had used the same passwords.

Gawker published a statement on its homepage advising its users to change their password after its servers were attacked.

While the stored passwords were encrypted, "simple ones may be vulnerable to a brute force attack", it said.

A group calling itself "Gnosis" subsequently released a 500MB file containing the data taken from Gawker on the file-sharing system Bittorrent.

Harvested passwords

The motivation for the attacks is not yet clear.

Gawker has previously been targeted by hackers after posting blogs critical of 4Chan.

The attackers also took over Gawker-run Twitter accounts to publish messages supporting Wikileaks.

Gawker has also published blogs critical of Wikileaks founder Julian Assange.

And it is not just Gawker's Twitter accounts that have been broken in to.

Start Quote

Every identity thief, hacker and spammer out there will be attracted to that password file”

End Quote Graham Cluley Sophos

Del Harvey, who heads Twitter's trust and security team said a spam attack on the site appeared to be related to the theft of Gawker's account details.

Hundreds of thousands of Twitter users had seen their accounts compromised and messages sent promoting an Acai Berry diet.

"It's all too common that people use the same password for multiple accounts," Rik Ferguson, a security researcher at Trend Micro told the BBC.

Anybody that has had their Gawker account details published can expect to be targeted by other hackers, said Graham Cluley, a consultant at security firm Sophos.

"Every identity thief, hacker and spammer out there will be attracted to that password file," he said.

The impact would have been more serious if compromised accounts had linked to sites containing bank-credential-stealing malware, he added.

Users could protect themselves by creating complex passwords for each online service that needed a password, said Mr Ferguson.

Complex passwords can be made easy to remember, he said.

He suggested taking a the first letters from the words in a phrase a user is likely to remember, such as "I wandered lonely as a cloud".

Some letters can be replaced by symbols, perhaps using "@" instead of "a".

Finally, adding the first and last letter of the website being visited to that phrase creates a unique but memorable password that is hard to guess, he adds.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.