If you read blogs at all you have probably heard of Gawker Media. The megablog is the umbrella for some of the most successful blog domains on the Web, including Gizmodo, Lifehacker, Kotaku, Jalopnik, ValleyWag, Deadspin, Jezebel, ion and others. The blogs all use a centralized commenting system, allowing for the use of a single username and password for all of their properties. Those user identities, along with an assortment of other private data (like FTP sites and internal communication logs) were compromised last weekend (Lifehacker has posted a full Q&A) and giant spreadsheets of the stolen data were distributed via torrents.
While the serious implications of such a breach are not to be ignored (particularly for a site that makes a habit of taunting the likes of the notorious trolls at 4chan), another phenomenon has emerged out of the mass release of email addresses attached to compromised Gawker accounts; I know this because my email and password were among those compromised . Within a day of the initial breach I began receiving emails. Not from Gawker (that came later), or from spearphishers (which was what I expected), but from LinkedIn and Blizzard's Battle.net.
Luckily, the password I used for Gawker was not the password to the email account I used to register, but I'm sure this is not the case for many of the commenters. Take a look at the email I received from LinkedIn:
And the email I received from Blizzard:
While I was initially concerned that these were attack emails, there was a clear sign that these emails were legit: there was no link to "click here" to update your password and account info. Both emails ask the user to go to the site and to reset their password through the usual channels. No unexpected or new steps, no request for personal information to "verify" the account, just the same steps one would take to ordinarily change a password.
There is something new going on here. Both Blizzard and LinkedIn took time to acquire the compromised lists, compare them with their users' email addresses, and reach out to those in danger of having their accounts hijacked. This kind of proactive privacy protection illustrates that these companies not only care about their customers, but realize that helping users keep their account information private is beneficial to the integrity of their systems. By helping users to secure their accounts, these companies keep their networks free of spam, phishing attacks, and other nefarious activities possible from compromised profiles.
This raises a few questions: did any other sites reach out to their users like this? Why haven't the email providers jumped on this bandwagon? Should this become standard practice for all online services, and if so, what kind of costs are associated with providing this kind of vigilance (when it is possible)?
Companies are not the only good actors in this story. The first email I received after the breach wasn't from a business at all, it was from a group calling themselves "Team Hint" that immediately distributed the following email to all of the users whose emails had fallen victim to the attack:
It seems these good Samaritans (could they be considered whitehats?) decided that commenters shouldn't be responsible for the fallout from Gawker's taunting of other online communities. A pleasant reminder that, although the Web is full of bad actors, there are folks who are looking out for the common good with no incentive at all.
Update: We've heard that Amazon has also been reaching out to users with compromised emails. Feel free to add any others to the comments section below!