Gawker Media gets hacked
There’s some easy fun to be had with the information in the Gawker Media hack. It’s interesting to know that Nick Denton used the same password across various different sites like Google Apps and Twitter and that it’s an all-digit code which makes a pretty pattern on a standard number pad. On top of that, one user with a usdoj.gov address uses the password “parasite”, while another uses the password “Princess”; meanwhile, a NASA user has the password “pervert”.
Really, however, the passwords are the least damaging thing here. (Mine’s on the list; it doesn’t even work.) Gawker’s commenters were operating under the understanding that they were anonymous; now, at least 188,000 of them, and probably more in coming days, can be associated with an email address. Some of those emails are the kind of “stealth Gmail, Yahoo Mail, or Hotmail account” recommended by Gawker; many others are not and can easily be traced to an individual. Gawker has said that it’s “deeply embarrassed by this breach”, but a much more heartfelt apology is needed. I can imagine more than a few commenters on Gawker and Wonkette and Fleshbot who would be mortified or possibly even fired if their identities became public. And already a list of .gov email/password combinations is being passed around to see whether those same passwords will unlock state secrets elsewhere.
A separate question is how damaging this all is to Gawker Media itself. Nick Denton might fancy himself a technologist, but I can’t remember a technology company ever being this comprehensively hacked, even unto the public distribution of the source code of its products. Gawker’s spent the past year carefully researching and developing its new web architecture, known internally (and now to the whole world) as the “GANJA framework”. Even if rival web publishers don’t shamelessly and illegally copy-and-paste large chunks of the source code, they are now able to see very easily how to put this kind of website together and to avoid the many dead ends which Gawker’s tech team undoubtedly ran into while building this site.
This hack may or may not affect the number of comments on Gawker Media sites — comments which Gawker Media itself says have “become a prized asset” and contribute importantly to Gawker Media’s value. Commenters, of course, represent many more pageviews than any other readers. (Incidentally, Denton recently increased the amount he’s offering to buy back shareholders’ stakes from $30 per share to $35 per share, which means that he’s now valuing the company at $35 million.)
The hackers are malicious, although they haven’t (yet) followed through on their scariest threat:
Clearly, if they’re willing and able to do this, #gnosis could cause vastly more damage than they have done already. Equally clearly, as Gawker says, the company “should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems”. And going forwards, it’s going to be very hard for anybody to trust Gawker as a media organization which can’t get hacked. What’s more, the way that Gawker taunts known hackers only makes such hacks more likely.
This, then, is a vivid example of the tail risk associated with companies like Gawker and is the main reason to sell shares back to Denton at $35 apiece: you never know what kind of event might happen to render the company worthless. That extreme outcome probably won’t come to pass, but do you want to take the risk?
Update: Gawker Media now has a FAQ up, which stops short of an apology. What Gawker didn’t do — but what the good people at Hint did do — is email everybody whose email and password were made public, to inform them of that fact. “In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately,” they wrote. I’m with them: Gawker should have done what Hint did. But, thankfully, now they don’t need to. And if you haven’t received an email from Hint, there’s a good chance that your email and password have not been made public.