A couple of weeks ago, servers at Gawker Media, Inc., who also runs the sites Lifehacker.com and Gizmodo.com were hacked by a group who calls itself Gnosis. Reportedly, more than 1.3 million user accounts, email addresses and passwords were obtained. The hacker group has managed to decrypt about half of the database contents and released it as a torrent.
You might be thinking that this is no big deal; people can just change their passwords. That’s true. The problem is that many people– against my and countless other security advisers’ advice–use the same combination of user credentials across multiple sites. The only way to mitigate the risk in this case is to change credentials at every site and never use the same password more than once.
To make matters even worse, quite a few of the accounts used ridiculously simple passwords. You can find a list of the top 250 most commonly used passwords here, but in case you’re wondering, here is a list of the top 10:
2516 123456 2188 password 1205 12345678 696 qwerty 498 abc123 459 12345 441 monkey 413 111111 385 consumer 376 letmein
The significance of “monkey” escapes me, but I’ve seen the other ones used many times in my role as sys admin.
Here’s what Woody Leonhard of Windows Secrets recommends:
While perusing the list is entertaining, the important lesson here is about password use. For example, let’s say you posted a comment on Lifehacker a few years ago. To post the comment, you had to give an e-mail address and password — which, at this very moment, somebody might be decrypting. Now let’s say you’re sloppy and using the same password for PayPal you used for Lifehacker. If a cyber thief has the foresight to sign on to PayPal with your e-mail address and cracked password, you can kiss your PayPal balance good-bye.
If there’s the remotest chance you’ve posted a comment on Lifehacker.com or Gizmodo.com, go immediately to Duo Security’s “Did I get Gawkered” site and enter your e-mail address. If your name’s on the list, change your passwords!
To that, I would add, “and be sure they are strong passwords.”