Gizmodo Data Breach Q&A: We're Here to Help

Image for article titled Gizmodo Data Breach Q&A: We're Here to Help

All the Gawker Media sites were compromised this weekend. This probably leaves you with a lot of questions on the status of your accounts. Here's the place to ask them. Both editors and tech are here at your disposal.


First thing you should do is change your password. Lifehacker's FAQ is a good place to start to figure out how. There are some quirks in the password reset function right now, like not being able to access your account if your email is locked out. This will be fixed in the near future. But you should start in that post to get a good idea of what happened. The short story is, your Twitter and Facebook accounts that you linked to your comment profiles are safe—those passwords didn't get compromised—but if you use the same password everywhere, then you should audit and update them.

Once again, we're here for you, the commenter. Our posts would be boring without comments, and it's pretty accurate to say that we have some of the best commenters anywhere on the internet. Seriously, you can go to any site, look at their comments, then come back here and realize that we have it pretty freakin' great. You guys make our stories pop, and in many instances, add and contribute new facts that we hadn't considered. You guys even started a thriving community based on just comments.

But here's your chance to ask questions about your Gawker Media (Gizmodo) commenting accounts, vent, or just help each other with issues you have. Go for it. We'll drop in as much as we can, inbetween dealing with the issues this has caused on our side as well.


I'll also keep updating the post itself with commonly asked questions and their respective answers, so check here first.


Q: There is only one password per account, correct? And one account for all the Gawker sites?
i.e. We don't need to change it on each of Gawker's sites?
A: That's right, one pass per account. One account per all of Gawker's sites. They're shared.


Q and A: I couldn't change my password while logged in with my current password, or login once I logged out with my current password, but I was able to set things straight by requesting a new password, and then changing it. Hope that helps someone.

Q: So if the accounts have been compromised, how can I be sure that the commenters are who they say they are?
A: Even on a normal day, it's unclear whether or not someone is really who they seem they are. They could have forgotten to log out at a library computer. If a commenter is posting ridiculous or offensive things, alert a moderator or an editor, and we will take a look. Their account may have been compromised.


Q: Does this have any effect on the users of the site who do not have a commenter account, but do subscribe to any of the Gawker email lists?
A: It's possible that your email address was obtained from that database that held the email lists, but there was no password associated with that list. The most that could happen is that a person could use your email and send you a phishing request, pretending to be Gawker. I don't think that's very likely.

Q: Hi Jason, in all seriousness - do you guys really think of us peasants? While I don't really have any hurt feelings and know this was not aimed at my person individually, I do feel like commenters are more than just that.
A: I can't (and shouldn't) speak for the folks at Gawker, but they've said repeatedly that it was a joke, the kind that gets made when you're just talking to your coworkers. It's not indicative of how people feel here.


Q: Getting a "Password Reset Failed" message. Please advise.
A: Tech's working on fixing the bugs with the password reset feature.

Q: When will the option to delete account be available?
A: Tech's working on enabling this feature, and we'll let you know when it's active.


Q: How can you tell if your account was created with Facebook connect?
A: Do you log in with your Facebook account? Click log out. Then click log in. It'll say "log in with your facebook account or your gizmodo account."

Q: Why is password change or recovery failing?
A: We are working to limit the scope of the problem, and as part of that are changing the password for every account that could be cracked. Not all accounts will have their passwords reset. This process is running in the background and causing occasional errors when changing passwords. We will notify our readers once via posts on the sites and an update on this page once this process is complete so you can try again. We expect this to be completed within a few hours. This affects password change and the 'Forgot Password' process. Please continue to update all passwords on sites that shared a password with your Gawker Media account.


Q: Why does my password no longer work?
A: We have reset the vulnerable account passwords to made it inaccessible to anyone with their old password. We are updating all of these accounts to use the modern bcrypt hash. If you did not have an email address associated with your account, and are currently unable to access your account, it is unlikely we will be able to restore access to your account. We suggest registering for a new account. We will be continuing to study this problem and notify readers if we develop a solution.

Q: I received an e-mail from a company called "Hint" informing me that my account's data was taken. Did anyone else get one of those?
A: Yes, this was not Gawker, but a third-party sending emails to all the harvested addresses. Gawker will be sending a notification soon.


Q: I can't log in. What do I do?
A: There are three possibilities. If you have an email address associated with that account, click "reset password" to get a new password. You can try again tomorrow after the tech issues get sorted. If you don't have an email address associated with your account, and still can't log in tomorrow, email and they will reinstate you after a few verification requests.

Q: How can I tell if my password was hacked?
A: Slate made a useful widget that you can use to quickly check, by typing in your email here.


Q: So, if my email shows up as not compromised on Slates widget, does that mean that I just got lucky? Or did my friggin beastly password keep them out?
A: Change your password anyway. The list used by the widget may not include all compromised accounts.

Q: What have you done to ensure that this attack won't succeed again?
A: There's going to be an independent security audit of the entire system to hopefully ensure that it doesn't happen again.




I received an e-mail from a company called "Hint" informing me that my account's data was taken. Did anyone else get one of those?