You’ve probably heard by now (the party line from Gawker, an a much more comprehensive analysis from Forbes) that a huge database of Gawker Media usernames and (poorly) encrypted passwords was recently stolen, and that the thieves published the stolen data for anyone in the world to download, and that the thieves managed to crack hundreds of thousands of the passwords using a brute-force attack. As far as I know, the thieves, who are in it for glory rather than money, haven’t released the decrypted passwords, but since they released the usernames and encrypted passwords, anyone on the Internet is free to download and do their own brute-force cracking.
Fortunately, this security breach had almost no effect on me, because I’ve already learned the hard way about the perils of using the same password on multiple sites, and because I don’t really care if my email address is leaked to yet another group of spammers since it’s been widely disseminated all over the Internet for over two decades and my spam filtering is just fine.
However, this morning, I received an email message from “email@example.com” which read as follows:
Hint wanted to let you know that your email address and password that you used to signup for Gawker (or one of its sites) were hacked. Forbes’ coverage is at http://blogs.forbes.com/kashmirhill/2010/12/12/gawker-gets-hacked-by-gnosis/
In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately. We HIGHLY recommend you change all of your online passwords as a precaution.
-The Team at Hint (http://www.hint.io)
(This is a one time email)
Here’s what’s funny about this email:
- The links in it, which I haven’t shown above, are obfuscated tracking links pointing back at email.hint.io.
- As far as I can tell, the company Hint has nothing whatsoever to do with Gawker, and the email message offers no explanation for why it’s appropriate for Hint, in particular, to be sending out this notification.
- The company it purports to be from, Hint, is apparently a stealth-mode start-up whose Web sites reveals nothing substantive about what it is doing or when it will be going live with whatever is doing, so there’s no way to verify the authenticity of the message.
- If you look in the headers of the email message, it claims to have originated at “matthew-gagnons-macbook-pro.local”. It turns out that Matthew Gagnon is affiliated with Hint, and one of his recommendations there even makes reference to the MacBook Pro being his platform of choice, so it would seem that the references to “Hint” in the email header are legitimate. I doubt Mr. Gagnon wanted to reveal himself in this way as the sender of the message, though. Perhaps the folks at Hint have some work to do on their software to prevent inadvertent privacy breaches like this one.
- I can’t help but suspect that whatever Hint is getting ready to go public with may compete with Gawker. If so, then it looks to be in rather poor taste for them to be the ones broadcasting Gawker’s screw-up, as bad as it may be.
Here’s some advice for the folks at Hint for the next time you take it upon yourselves to notify >1 million users that some other site they use has been compromised:
- You need to do a much better job of explaining why you’re doing it and why it’s appropriate for you, in particular, to be doing it. If there’s no reason, then don’t do it.
- Don’t put tracking links in your email.
- Don’t be anonymous. Put a real person’s name on the message. Put a URL in the Web site people can use to verify that not only your claim that the breach occurred, but also your notification about it, is legitimate.
- Don’t bewail your competitors’ tragedies in anonymous notification emails.
- If you do insist on doing your notification anonymously, then don’t leak the real identity of the sender in the headers of the message.