On December 12th, we discovered that Gawker Media's servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. If you're a commenter on any of our sites, you probably have several questions.
We understand how important trust is on the internet, and we're deeply sorry for and embarrassed about this breach of security—and of trust. We're working around the clock to ensure our security (and our commenters' account security) moving forward. We're also committed to communicating openly and frequently with you to make sure you understand what has happened, how it may or may not affect you, and and what we're doing to fix things.
We'll continue to update this FAQ throughout this process.
Frequently Asked Questions
1) How do I know if my password was hacked?
2) What if I logged in using Facebook Connect? Was my password compromised?
3) What if I linked my Twitter account with my Gawker Media account? Was my Twitter password compromised?
4) Should I be concerned about my other online accounts? What if I used that password on other sites?
5) How can I delete my account?
6) How do I change my password?
7) I don't know my Gawker account password, and recover via email didn't work. What's the deal?
8) Who was responsible for the hack? How did it happen?
9) How are you notifying those whose details were compromised?
10) My password isn't working, and I didn't have an email associated with my account. What do I do?
11) What are you doing to ensure this doesn't happen in the future?
12) What should I do now?
13) When did you discover the breach had occurred?
14) Why is password change or recovery failing?
15) Why does my password no longer work? What do I do if I can't log in?
16) Why Did I Get an Email from Hint.io?
17) I received an email from "Gawker Media" on December 13, was that from you?
18) How old is the data released? It appears to have an old password / email of mine.
19) I want to change all my data in my Gawker account so that I can't be linked to the released data.
20) What can I do if I'm receiving spam because my email was leaked?
More specific account issues:
I tried to log in but can't.
I reset password but didn't receive email.
I am receiving an error when I try changing my password.
I can't change my password.
I have an account but password reset doesn't recognize my email.
I used the password reset option, but you sent me a different username.
1) How do I know if my password was hacked?
If you've registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn't log in using Facebook Connect, then it's best to assume that your username and password were included among the leaked data.
Passwords in our database are encrypted (i.e., not stored in plain text), but they're still vulnerable to hackers. You should immediately change the password on your account, and if you used that password on any other web site, you should change your passwords on all of those accounts as well.
Additionally, the folks at Slate put together this simple widget you can use to check if your email address or username was associated with a hacked account. Additionally, security company Duo Security put together Did I Get Gawkered? for the same purpose; you can read more about it here.
2) What if I logged in using Facebook Connect? Was my password compromised?
No. We never stored passwords of users who logged in using Facebook Connect. At one point we had, however, disabled Facebook Connect logins while we performed our security audit. Facebook logins have since been restored.
3) What if I linked my Twitter account with my Gawker Media account? Was my Twitter password compromised?
No. We never stored Twitter passwords from users who linked their Twitter accounts with their Gawker Media account. However, if you used the same password for your Twitter account as you did on your Gawker Media account, you should change it immediately.
4) Should I be concerned about my other online accounts? What if I used that password on other sites?
If you used your Gawker Media password on any other web site, you should change the password on those sites as well, particularly if you used the same username or email with that site. To be safe, however, you should change the password on those accounts whether or not you were using the same username. We've put together a guide to help you audit and change your passwords.
5) How can I delete my account?
We don't allow deletion of accounts or comments as per our terms of service. If you have specific questions about your account, please contact [email protected].
6) How do I change my password?
You can change your password in your profile settings. Log in to your account, click you username, then click "Password." Enter your old password and your new, desired password and click "Save." Your password will be updated.
7) I don't know my Gawker account password, and recover via email didn't work. What's the deal?
We had shut down email services on some servers earlier today, but service should now be restored. Please try again and make sure you check your spam filters.
8) Who was responsible for the security breach? How did it happen?
A group calling itself Gnosis has claimed credit for hacking our servers.
9) How are you notifying those whose details were compromised?
We are in the process of notifying those users who associated an email address with their Gawker accounts. Unfortunately, sending email to 1.4 million email addresses is not a simple task. We've been working with MailChimp to notify commenters securely and as quickly as possible.
10) My password isn't working, and I didn't have an email associated with my account. What do I do?
We are still working through possible ways to deal with this situation. We'll be sure to update this FAQ once we come up with a good solution.
11) What are you doing to ensure this doesn't happen in the future?
We're bringing in an independent security firm to improve security across our entire infrastructure. Additionally, we will continue to work with independent auditors to ensure we maintain a reliable level of security, as well as the processes necessary to ensure we maintain a safe environment for our commenters.
12) What should I do now?
You should change your password as soon as possible, both on Gawker Media and on any other site where you use that password. We've put together a guide to help you audit and update your passwords which, essentially, will help you identify other sites where you were using the same password as you were on Gawker Media.
13) When did you discover the breach had occurred?
We became aware of some rumors on Saturday afternoon and began investigating the claims, however we did not confirm there had been a breach until a little before 3:30pm EST, and posted a statement on all sites shortly thereafter.
14) Why is password change or recovery failing?
If you experienced an error message regarding password changing failing, please try again now.
15) Why does my password no longer work?
We have reset the most vulnerable account passwords to make it inaccessible to anyone who may have your old password. We are updating all of these accounts to use the modern bcrypt hash. If you did not have an email address associated with your account, and are currently unable to access your account, it may be difficult to verify and recover your login. We suggest registering for a new account.
We understand that this impacts readers who have put a lot of energy their communities. We will do all that we can to recover your locked account. Please direct questions about account restoration to [email protected]. We are continuing to study this problem and will notify readers if we develop a comprehensive solution.
16) Why Did I Get an Email from Hint.io?
As of now, it appears that a startup called Hint.io is trying to be "digital good samaritans", emailing users at addresses included in the leaked database to warn them of the leak. We recommend staying cautious just in case, and have reached out to Hint.io for more details.
17) I received an email from "Gawker Media" on December 13, was that from you?
Yes, that was us, sent from help AT gawker DOT com. We've been working since Sunday evening to send a formal notification to all emails associated with any Gawker Media commenting account, but unfortunately emailing nearly 1.4 million users is not a simple task. You should continue to visit this FAQ for updates.
18) How old is the data released? It appears to have an old password / email of mine.
It appears what was released was a partial record of our database that was over a year old, so any changes you've made since then (email address, password, username) wouldn't be reflected in this data.
19) I want to change all my data in my Gawker account so that I can't be linked to the released data.
Another option exists if you would like to keep your account — maintain the record of comments made, preserve a star, save private messages, keep followers and friends — but are understandably concerned about the association of your username and email.
You can change the "base username" — the name you login with — by clicking on your profile page, clicking the "Edit Profile" link, then clicking (change username).
You can then alter the name to any new moniker that you like (currently, this swap works just once, so be certain you choose a name you really like). You can change your "screen name" — the name that displays on your comments — as frequently as you like via the same "Edit Profile" link. Also in that screen, you can enter an entirely anonymous new email address.
With this option, you can effectively keep your whole account and history, and simply swap out the username and email that was previously associated with you.
20) What can I do if I'm receiving spam because my email was leaked?
You can take steps on your own to wipe out spam from your inbox, but you've also got legal recourse.
The CAN-SPAM Act of 2003 allows for private right of actions against spammers. The problem is that we need your help to find out about all the various spammers. If you receive any spam in your inbox that you believe is related to your leaked email address, please forward that spam email to spam AT gawker DOT com, and we'll contact the FTC on your behalf. If you'd like, you can also reply to the spammer with the following email:
To Whom It May Concern:
I believe that you and/or your agents are sending SPAM emails using email addresses harvested from the Gawker database that was published on the internet, and that is why I am now receiving unsolicited email from you.
This email is to put you on notice that I have reported this to Gawker Media and they will be notifying the FTC of your actions and will consider pursuing private legal action under the provisions of the CAN-SPAM Act should you continue to send out SPAM emails to their reader base.
As you may be aware, penalties for violations of the CAN-SPAM act can reach several million dollars in fines, in addition to injunctive relief. Consider this email a warning and cease your SPAM emailing activity immediately.
Regards,
Your name here
I tried to log in but can't.
Please reset your password by clicking the "reset your password" link at the bottom of the login box. If your email address is not associated with your account, you will need to email help AT gawker.com with your username and email address.
I reset my password but didn't receive an email.
Did you check your spam filter? Our email servers were overloaded through Monday, so please try again. If you are still do not receive the email, please email help AT gawker.com explaining your problem and include your username and email address you are using for the password reset.
I am receiving an error when I try changing my password.
We have made some changes that should resolve this problem, so please try again.
If you receive an "Incorrect old password" error, the best thing to do is a password reset using the link at the top of every page (currently only if you're logged in). This will generate a new password and email it to your email address on file.
If you are unable while attempting a password reset you receive the error "That email address is not in our records", then please email help AT gawker.com explaining your problem and with your username and the email address you believe is associated with the account.
I can't change my password.
The best thing to do is a password reset using the "reset your password" link at the top of every page (currently it only appears if you're logged in). This will generate a new password and email it to your email address on file.
If you are unable while attempting a password reset you receive the error "That email address is not in our records", then please email help AT gawker.com explaining your problem and include your username and the email address you believe is associated with the account.
I have an account but password reset doesn't recognize my email.
Are you currently logged in on any computer? If you are logged in, you can update the email address associated with your account by visiting your profile page (www.sitename.com/me/) and clicking the "Edit Settings" link. Please update your email address there and try resetting your password again.
If you're not logged in, please send an email to help AT gawker.com with your username and email address you believe is associate with the account.
I used the password reset option, but you sent me a different username.
Some email addresses are associated with multiple accounts, and the password reset function is resetting only one of them. We've found this happens especially with users who registered for a commenting account, and at a later point commented via email. When we first released anonymous commenting via email, we assigned that user a random username. It's understadable that users be concerned when they receive a password reset for a username they think has nothing to do with them, but we're finding that the mysterious username ends up being the username that was generated for them. If you tried a password reset and weren't able to reset the username you were looking for, please email help AT gawker.com with the username for the account you need reset and your email address.