Gawker hack may put government workers at risk

Report says government passwords culled in hack

Government employees who accessed the popular Gawker Media website may be at risk of future cyberattacks as a result of the weekend hacking against the site, according to a report from "PBS Newshour." The report states that during the Gawker attack, a “select sublist” of apparent e-mail addresses and passwords of employees from federal, state and local government agencies were compiled for potential future attacks. The individuals whose passwords were posted included a NASA official and a chief of staff for a member of Congress, the article states.

Gawker, which publishes several news and entertainment blogs, said about 1.3 million accounts had been compromised, including users' passwords. The data reportedly was released publicly on file-sharing sites on the Internet.

Government employees who may have accessed Gawker from their work computers are being urged to change their password information to reduce their risk, the article states.

Gawker posted the following after Sunday afternoon’s attack:

"Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you've used the same passwords. We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us."

The post goes on to give tips for creating strong passwords and gives instruction on how to change a password. (Nearly 2,000 of the stolen-and-published passwords were "password," according to PBS, suggesting that many people haven't taken this lesson to heart.)

PBS reports that the list includes a variety of government agencies at the state and federal levels, and Congress.

The identity of the Gawker hack perpetrator seems to be unclear. The loosely organized ring of international hackers that call themselves "Anonymous" and are operating under the label "Operation Payback" may have been involved, according to published sources. It was "Anonymous" hackers who took down the websites of Visa and MasterCard after they stopped processing donations to WikiLeaks.

However, the blog Urlesque reports that the hacker group Gnosis carried out the attack. Gnosis "isn't affiliated with Anonymous, but it took issue with Gawker's dismissive attitude toward Anon and hackers in general, and decided to send a message," writes Jay Hathaway at Urlesque.

Another Village Voice blog entry reports that someone claiming credit for the hack disavowed a connection to Operation Payback but posted what the hacker purported to be a transcript from Gawker's internal chat program. However, the transcript seems to be from several months ago, making it impossible for the hack being discussed in the conversation to be yesterday's, the Voice reports.

PBS posted instructions that were attached to the selected government addresses from inside an Anonymous chat room.

The instructions, riddled with grammar and spelling errors, said in part: “These people more than likely use the same pass everywhere. Try to gain access to the @email STMP using the email/pass combination also google their email address to find other accounts on the inernet [sic] they may have and try their password with said accounts.

“If the people in this dump have admin/mod rights there maybe [sic] other sensitive information worth disclosing to the internet, scrape any and all information you can and dont be XXXXing stupid, these are government officials, use many layers of proxies and report back any lulz to (REDACTED).”

About the Authors

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Alysha Sideman is the online content producer for Washington Technology.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Thu, Dec 16, 2010 Jeffrey A. Williams

There are black hat hackers and white hat hackers. The former are dangerous and some are very, very good which is even more dangerous. Using bad password practice isn't the cause in this incident. Gawkers security, or lack there of is. When using or accessing such social media websites like Gawker, one is taking a certain amount of risk which is often times impossible to determine. Some security standards for such websites needs to be established and strongly promoted. Those that do not post on their website in plain site what security precautions they have in place for their social blogs, ect., should be avoided.

Tue, Dec 14, 2010

Why should an employer trust a known hacker? The hacker has already demonstrated disregard for law and privacy. As an employer, I want talent that is not tainted by lawlessness.

Tue, Dec 14, 2010

What is the down side to Gawker for the breach in security. There is no penalty for Gawker due to the loss. Just a notice of the loss and an "Ooops" moment.

Tue, Dec 14, 2010

wont that be something when the USA realizes this group is just a bunch of kids with mad computer skills. Looks like we need to be offering jobs instead of hunting them down. Just a thought

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group