The wrong way to be a good samaritan

By | December 13, 2010

You’ve probably heard by now (the party line from Gawker, an a much more comprehensive analysis from Forbes) that a huge database of Gawker Media usernames and (poorly) encrypted passwords was recently stolen, and that the thieves published the stolen data for anyone in the world to download, and that the thieves managed to crack hundreds of thousands of the passwords using a brute-force attack. As far as I know, the thieves, who are in it for glory rather than money, haven’t released the decrypted passwords, but since they released the usernames and encrypted passwords, anyone on the Internet is free to download and do their own brute-force cracking.

Fortunately, this security breach had almost no effect on me, because I’ve already learned the hard way about the perils of using the same password on multiple sites, and because I don’t really care if my email address is leaked to yet another group of spammers since it’s been widely disseminated all over the Internet for over two decades and my spam filtering is just fine.

However, this morning, I received an email message from “teamhint@hint.io” which read as follows:

Hi there,

Hint wanted to let you know that your email address and password that you used to signup for Gawker (or one of its sites) were hacked. Forbes’ coverage is at http://blogs.forbes.com/kashmirhill/2010/12/12/gawker-gets-hacked-by-gnosis/

In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately. We HIGHLY recommend you change all of your online passwords as a precaution.

-The Team at Hint (http://www.hint.io)

(This is a one time email)

Here’s what’s funny about this email:

  • The links in it, which I haven’t shown above, are obfuscated tracking links pointing back at email.hint.io.
  • As far as I can tell, the company Hint has nothing whatsoever to do with Gawker, and the email message offers no explanation for why it’s appropriate for Hint, in particular, to be sending out this notification.
  • The company it purports to be from, Hint, is apparently a stealth-mode start-up whose Web sites reveals nothing substantive about what it is doing or when it will be going live with whatever is doing, so there’s no way to verify the authenticity of the message.
  • If you look in the headers of the email message, it claims to have originated at “matthew-gagnons-macbook-pro.local”. It turns out that Matthew Gagnon is affiliated with Hint, and one of his recommendations there even makes reference to the MacBook Pro being his platform of choice, so it would seem that the references to “Hint” in the email header are legitimate. I doubt Mr. Gagnon wanted to reveal himself in this way as the sender of the message, though. Perhaps the folks at Hint have some work to do on their software to prevent inadvertent privacy breaches like this one.
  • I can’t help but suspect that whatever Hint is getting ready to go public with may compete with Gawker. If so, then it looks to be in rather poor taste for them to be the ones broadcasting Gawker’s screw-up, as bad as it may be.

Here’s some advice for the folks at Hint for the next time you take it upon yourselves to notify >1 million users that some other site they use has been compromised:

  • You need to do a much better job of explaining why you’re doing it and why it’s appropriate for you, in particular, to be doing it. If there’s no reason, then don’t do it.
  • Don’t put tracking links in your email.
  • Don’t be anonymous. Put a real person’s name on the message. Put a URL in the Web site people can use to verify that not only your claim that the breach occurred, but also your notification about it, is legitimate.
  • Don’t bewail your competitors’ tragedies in anonymous notification emails.
  • If you do insist on doing your notification anonymously, then don’t leak the real identity of the sender in the headers of the message.
Share

6 thoughts on “The wrong way to be a good samaritan

  1. mercy

    Such people when cited they should be positioned to give thorough explanations, it is amazing alot.

    Reply
  2. David

    Interesting. I had a Gawker account. I guess mine was also compromised. I did not receive any sort of email from hint, or perhaps it was in my spam folder and has already been chucked out. More interestingly, I was just now contacted by the NY Times and a link to their Gadgetwise. . They are confirming that my Gawker account was indeed compromised.

    — David

    Reply
  3. kaffeenhed

    I also received this email, and wrote on it here: http://wp.me/p1dTj0-p

    I was particularly perturbed that the subject line of the email made it sound like I already had an account at hint.io, which I’d never heard of before today. To me, this immediately reeked of spam, in about the same way an “Account Confirmation Notification” or something from a bank I’ve never done business with would.

    I’m not sure if they were trying to do the right thing and are just inept at it, but it just seemed like the Internet equivalent of ambulance chasing to me.

    Reply
  4. Pingback: How Not To Capitalize On A Security Compromise - Phil Hagen's Scratch Pad

  5. jik Post author

    I hadn’t thought of that. I suppose it’s possible. I guess Matt Gagnon and Hint owe everyone an explanation.

    Reply
  6. SRC

    Could Hint be affiliated with Gnosis? Perhaps the Matthew Gagnon header was left on purpose…perhaps as some kind of HINT? Just wondering.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *