Gawker’s future security plans revealed
An internal memo sent to the Gawker staff by Thomas Plunkett, Gawker Media CTO, has revealed further details about last week’s massive breach that resulted in the release of 1.3 million login credentials for as many Gawker-related accounts and a flurry of password-changing requests from Gawker itself, Twitter, LinkedIn and other online services.
“In recent weeks, intruders were able to gain access to our web servers by exploiting a vulnerability in our source code, allowing them to gain access to user data and passwords,” he wrote. “With this information, they were able to gain access to the editor wiki, some Gawker Media email accounts, and other external resources.
“It is clear that the Gawker tech team did not adequately secure our platform from an attack of this nature,” he admitted, and said that they were, in fact, not prepared to respond to the situation adequately.
Why weren’t they prepared? There is a variety of reasons: they didn’t plan for such an event and they gave more attention to upcoming plans and products than to the ones they had already executed. Also, he claims, the breach happened because the company has “never been afraid to take an unpopular or controversial stance with regard to individuals or organizations”, and has consequently drawn the ire of many.
“The tech team should have been better prepared, committed more time to perform thorough audits, and grown our team’s technical expertise to meet our specific business needs,” he wrote, and shared what steps have already been taken to regain total control over its assets.
They are investigating the breach with the help of an independent security firm, they have regained control over compromised systems, patched all found vulnerabilities and are still searching for more, and have modified their various administrative accounts. They have enabled SSL for all users with Gawker Media accounts on Google Apps (to prevent the compromise of internal communications), and two factor authentication for accessing external sources (e.g. documents on Google Docs).
Preceded by bout of much needed and appreciated apologies, he also announced their intention of migrating their platform away from any personal data dependencies, not storing personal information and offering disposable accounts to commenters that want to be sure of remaining anonymous.