14 DAY TRIAL // An analysis of the the leaked Gawker user database revealed that a lot of people are using incredibly easy passwords that are on the default wordlists of most cracking software.
This past weekend, Gawker Media, the company operating some of the Internet's most popular blogs, including Gizmodo, Lifehacker, Kotaku and Gawker, was the victim of a major security breach.
A group of hackers compromised its servers and walked away with the full source code of its proprietary publishing platform, internal chat logs and emails, as well as a database containing 1.3 million accounts.
All of the data was released on the Internet for virtually anyone to download, however, the passwords in the database were encrypted with the DES-based crypt(3) function.
Nevertheless, access codes of eight characters or less encrypted in this way are susceptible to cracking, which allowed researchers from a company called Duo Security to recover 400,000 of them and perform a basic analysis.
The most common password used by Gawker users was the old "123456," encountered 2516 times. The next were "password," 2188 times, and "12345678," 1205 times.
The top ten most-used passwords also included "qwerty" (696), "abc123" (498), "12345" (459), "monkey" (441), "111111" (413), "consumer" (385) and "letmein" (376).
Some other weak but popular passwords like "superman", "iloveyou", "f***you" or "whatever", were also common occurrences. The problem is that most of these passwords are on the default wordlist of any reputable password cracking program.
Granted, people used their Gizmodo accounts mostly for commenting, so many might not have cared too much about their security.
However, it turns out that a considerable number of them also associated their Twitter accounts with the ones at Gawker, because the compromise was later linked to a mass spam attack on the microblogging platform.
Duo Security, which provides a cloud-hosted two-factor authentication service, also analyzed the most common email providers used by Gawker users.
Gmail was at the top of the list with 173,942 uses and was followed by Yahoo! Mail (101,959), Hotmail (72,847), AOL (20,551), comcast.net (8,106), msn.com (6,078), mac.com (5,835), sbcglobal.net (4,341), hotmail.co.uk (3,397) and verizon.net (2,531).
"If you're an end user and think you may have registered an account with Gawker or one of its affiliated sites, be sure to change your passwords on any sites that may have the same or similar password as your Gawker account," writes Jon Oberheide, a researcher at Duo Security.
"In general, incidents like these are a good time to revisit your existing password schemes and ensure you are protecting your online accounts adequately," he advises.