Gawker founder admits security errors

[nsane.forums]

Thomas Plunkett says firm was not prepared for the hack that exposed over a million user' details

The founder of Gawker Media, Thomas Plunkett, has admitted that the company was unprepared technically and in terms of communication and subsequent customer support, for the server security breach that exposed over one million user account details.

In a leaked internal memo published on The Next Web, Plunkett explained that the hackers had infiltrated the firm’s web servers by exploiting a source code vulnerability. This allowed them to access user data and passwords and subsequently “the editor wiki, some Gawker Media email accounts, and other external resources”.

Plunkett admitted that the media company’s focus had been on growing the business and not ensuring that the platform was as secure as possible, leading to software development errors and a general lack of “standards and practices”.

“The tech team should have been better prepared, committed more time to perform thorough audits, and grown our team’s technical expertise to meet our specific business needs,” he wrote.

“As a result of not having done these things, we have not adhered to standards expected of us, and our response was inadequate. The remedy to this situation will not be immediate, but it will be swift as possible.”

Plunkett said the Gawker team has re-established control over compromised systems, set up a helpdesk, is reviewing its code base and has made “appropriate changes to administrative accounts to our web and application infrastructure”.

The firm has also enabled SSL for all users with Gawker Media accounts on Google Apps, is pushing to integrate the OAuth verification system, and will offer disposable accounts to commenters who don’t want to have their details saved on Gawker servers.

Security experts at the time of the hack warned users to maintain different log-in credentials for different accounts, after it emerged that some of the stolen log-in details were being used to access Twitter accounts to send spam updates.

A quarter of UK internet users reuse the same password for important accounts such as email, banking or shopping and social networking sites, according to a survey from network security firm Check Point released today.

The firm also identified that over three-quarters of consumers use risky password construction practices, such as including personal information and words.

View: Original Article