Shock and awe with gawker.com: How to test if you have been breached

Blog Post created by rapid7-admin on Dec 13, 2010

Originally Posted by Chris Kirsch



   Google Fusion table listing the MD5 hashes of breached
   email address from Gawker.com data breach




This weekend, the Web and back-end database of Gawker.com was published on Pirate Bay. If you had a personal email account registered at Gawker or one of their associated web sites, such as Engaged, you may have been breached. This especially becomes a problem if you are using the same password across a number of sites because we expect that malicious hackers are already trying to use the same user name and password combination to log onto other sites, such as Paypal, Amazon, and online banking accounts.

As a public service, we have put together an easy way for you to test if your password has been breached. Here is how you do it:

  1. Create an MD5 hash of your email address enter it as lowercase on this website.

  2. Search for the MD5 hash in this Google Fusion table to see if your account was breached. To do this, click on Show options,
    then set the condition to MD5 = YourHash, and click Apply. If you find an entry in the table that matches your MD5 hash, your Gawker account has been breached. If you don’t see an entry below the gray header bar, you’re fine.




Note: The original database includes the email addresses in clear text. We have hashed the email addresses to protect the privacy of the individuals but to enable everyone to check if their own email addresses have been breached. In other words, the hashes do not constitute password hashes. 

We recommend that you
don’t change your gawker.com password until the site has fixed the security issue that has led to this breach. Otherwise, your new password may be breached without your knowledge and give you a false sense of security. 

If you have been breached and would like to audit if the compromised password is being used for any account within your network, including Windows, FTP, telnet accounts, download a
trial version of Metasploit Pro and provide the user name and password as known credentials before launching a brute force attack on your network.