Tuesday, December 14, 2010

Gawker breach compromised government sites

It's no secret now that Gawker had a major data breach. 1.3 million user names have been made available in a torrent file. These days that would almost be no big deal. For everyone but the 1.3 million, anyway. Even the more interesting statistics aren't surprising. Almost 2000 people used "password" for their password. I'm sure there are similar numbers using '12345'.

But those aren't the usernames and passwords that cause concern. The Rundown News Blog on PBS.org reports that what appears to be a sublist of accounts belonging to federal, state and local governments. Apparently they were parsed for future attack. Gawker has been telling people to change their Gawker password but many, if not most, people use the same username and password for multiple sites. So there is a good (or bad) chance that we will see a government breach resulting from this - unless all of the government employees whose Gawker accounts are compromised change their passwords on all of their accounts.

Even if they don't use the same password on all sites, it would be a good idea to change all of their passwords. Unless they use a password generator, many people tend to use similar passwords. Old girlfriends names, old pets, take a word, add a number or symbol and rotate the number or symbol, action heroes, comic book characters, etc.

We see talk of how interconnected we are and how exposed online. Incidents like this serve to drive that lesson home. Because of a data breach on a private web site an unknown amount of government data of unknown sensitivity is at risk. Not to mention the citizens accounts that risk compromise. The damage is done in this breach, but what can we do to prevent the next one? And the next one?