We're here for you in the Hackerpocalypse

Image for article titled We're here for you in the Hackerpocalypse

As you've probably heard, the Gawker Media sites were compromised over the weekend. But we're here for you. We've got the latest information, and want you to use this post as a place to talk.


First thing you should do is change your password. Lifehacker's FAQ is a good place to start to figure out how.

UPDATE 12/15: Please read the latest instructions on how to change your password and recreate your account, particularly if you are having trouble getting the user name you used to have.

Our tech team says:

If you have an email address associated with the account, click Reset Password to get a new password. (Note that it can take many hours to get an email with your new password.)

If you don't have an email address associated with your account and still can't log in: email help@gawker.com and we will manually reinstate you after a few verification questions.


Some folks are reporting problems with slowness when it comes to changing your password - especially if you request a new password by email. Please be patient - everybody is changing their passwords at the same time. We will keep you updated throughout the day.

The group of hackers who compromised our sites call themselves Gnosis and they posted a list of all the passwords and emails that they found and are circulating it on BitTorrent. Several helpful io9 commenters in our open forum called Observation Deck have already downloaded it and are helping people figure out whether their password is in the list. Thanks to those folks! (UPDATE: Want to check if your password was released? Use this handy widget over at Slate.)


The important thing is that you should change your password to your commenter account even if it isn't on the list - just to be safe.

The OTHER important thing you should know is that the only thing Gnosis leaked related to commenter accounts were passwords to those accounts. So unless you are using the same passwords for other accounts like e-mail or Twitter or Flibbledeeboop, your other accounts on the interwebs should be safe.


It goes without saying that we're incredibly sorry you have to deal with this hassle. We love our commenters dearly, and don't want you to have trouble adding your thoughts to our thoughts on posts. Today may be a little rocky, and I welcome your thoughts/complaints/helpful tips in comments below and in Observation Deck. Thanks again to all the commenters who have already been so helpful. Your editors and the Gawker Media tech team will be working all day to make sure that this doesn't happen again.


Here's the latest from Gawker Tech Hivemind:

Q: Why is password change or recovery failing?
A: We are working to limit the scope of the problem, and as part of that are changing the password for every account that could be cracked. Not all accounts will have their passwords reset. This process is running in the background and causing occasional errors when changing passwords. We will notify our readers once via posts on the sites and an update on this page once this process is complete so you can try again. We expect this to be completed within a few hours. This affects password change and the 'Forgot Password' process. Please continue to update all passwords on sites that shared a password with your Gawker Media account.


Q: Why does my password no longer work?
A: We have reset the vulnerable account passwords to made it inaccessible to anyone with their old password. We are updating all of these accounts to use the modern bcrypt hash. If you did not have an email address associated with your account, and are currently unable to access your account, it is unlikely we will be able to restore access to your account. We suggest registering for a new account. We will be continuing to study this problem and notify readers if we develop a solution.


If you are one of the people whose password was changed, but who never had an email associated with your account, you may not be able to get back into your account. You'll have to create a new account and start from scratch. If you're a longstanding commenter who has put a lot of energy into building up your account, or if you're a star commenter and want your status back, we'll do everything we can to recreate an account for you with your full status. Just email us (our emails are on the left-hand side of the page) and tell us who you are and we'll do everything we can to help put things right. Do NOT email us if you have an email associated with your account but you haven't gotten your new password yet. Things are very slow today and it may take several hours to get that mail.




So they downloaded a list of 1,247,897 encrypted passwords, and then cracked 273,789 of them. If my password wasn't cracked, does that mean it was stronger than any of the first 273,789, or have they just not got around to trying it yet?