What is hint.io? Gawker's compromised data and the ethics of transparency

No readers like this yet.
open source button on keyboard

Opensource.com

Did you recently find that a stunning number of your Twitter friends spent their weekends discovering the miracles of acai berry? In short, Gawker Media account information was compromised this weekend, and the first place the information was put to use was a mass attack of Twitter spam.

The BBC and Mashable have that side of the story covered, though. What I'm interested in is how Gawker (which includes Jezebel, Gizmodo, Lifehacker, Deadspin, and io9, among other sites) handled it. Spoiler alert: It wasn't with openness and transparency.

This morning I got an email from hint.io telling me that my Gawker account had been compromised. I very nearly ignored it as phishing. From the screenshot at the top of this post, you can probably see why. All three of the links in it, including the one to the Forbes article, link to the hint.io domain, which I'd never heard of. Googling the domain name mostly resulted in other people on message boards discussing it. The site itself has only a vague description of what it is and says that it's in beta.

But it is in fact, a legitimate email, for certain definitions of legitimate.

A legitimate email that should have come from Gawker. They have finally posted a brief apology and a FAQ, neither of which mention hint.io (presumably because they have nothing to do with each other). And as far as I can tell, Gawker still hasn't sent out emails to the compromised accounts themselves, although the FAQ suggests that they're "in the process of notifying those users."

So what of hint.io, then? It appears to be the tool for a group that took matters into their own hands after Gawker opted to leave its users in the dark. TNW (The Next Web) calls them "good Samaritans." But at least one commenter there thinks that those sending the emails are as bad as those who compromised the accounts to begin with, since they're using the compromised data to sent the alerts.

As one of the recipients, I disagree. I'm thankful for their transparency where Gawker was unwilling. The data has been released. That can't be changed. But they've used it for good, not evil. Or at least as an effort to help prevent more evil.

What do you think? Is using the data to promote transparency acceptable? Or equally unethical?

Edit: Read this newer Forbes blog post for even more on Gawker's complete lack of transparency when it comes to users' security, which goes back at least a month.

User profile image.
Ruth Suehle is the community leadership manager for Red Hat's Open Source and Standards team. She's co-author of Raspberry Pi Hacks (O'Reilly, December 2013) and a senior editor at GeekMom, a site for those who find their joy in both geekery and parenting.

27 Comments

in principle - fine. But the real question is... how did they get our email addresses and know we were part of the gawker network? The only way I can think of is by having access to the hacked data.

I didn't bother to read to the end of your article..
*facepalm*

I too received the hint.io message. It was marked as spam by my service provider. I think it is the ABSOLUTELY WRONG thing to do. The first thing I thought was "Who is hint.io and how did they get my account information." They have no right to my account information. How am I supposed to know they are the "good guys" when they send me unsolicited e-mail?

<em>How am I supposed to know they are the "good guys" when they send me unsolicited e-mail?</em>

Exactly. When I re-read it, I got that they were probably trying to convey that, but they did a pretty bad job of it.

I was deeply suspicious when I got the e-mail from Hint.io this morning, it looks scamalicious and a Google search didn't change my mind. A under construction website with little or no info...hmmmm. Scam! Scam, scam, scam. Scummy scam bots.

I'm thinking that the hackers who did Gawker have either sold the e-mail addresses or are in chaoots with this Hint.io. I'm waiting for vast amounts of spam to come into my inbox, we shall see.

*don't for the love of Santa click on the links in the Hint.io e-mail*

I love the word "scamalicious." :-)

The people behind hint.io seem to be reasonably reputable people, based on a little Googling. I'm pretty sure it wasn't a matter of a sold database, since it was posted on the Pirate Bay. So far, it seems to be all in an honest desire to do the right thing, although I am entirely willing to believe that hint.io did it for the publicity to get their beta rolling. The whois info says that the domain was just registered Nov 24, less than three weeks ago.

Domain Handle : DOM-95770
Domain Name : HINT.IO
Organization Name : Dru Wynings
Created : November 24 2010.
Last Updated : November 24 2010.
Expires : November 24 2011.
Primary Nameserver
Nameserver : NS1.MEDIATEMPLE.NET
Secondary Nameserver
Nameserver : NS2.MEDIATEMPLE.NET

(Rest of the contact info is all him as well.)

... if you look at the headers in the email, you'll find this:
Received: from matthew-gagnons-macbook-pro.local (unknown [10.9.180.5])

Could be spoofed, of course, but given that one of the hint.io guys calls himself Matt Gagnon, it rings true. Certainly fits in with the rest of the picture.

no need for cahoots - the stolen file is available to anyone with a torrent client.

Did only the direct accounts get hacked? Or did the leak include email addresses of everyone they've ever "pinged"? Reason being... I looked at the list, and I've never logged into any of the sites mentioned, so I shouldn't have an account breach.

But I got the email, so I'm wondering...

Not sure what you mean by people they've pinged. Do you mean anyone someone at Gawker has ever emailed? Gawker says that it was just commenter accounts. Here's what Forbes said about the extent of the breach:

<blockquote>analysis of the file released by the crackers themselves indicates that the breach extends to employees of Gawker, includes credentials for internal systems (Google applications, collaboration tools) used at the company, includes a leak of Gawker’s custom source code, includes credentials of Gawker employees for other web sites, includes FTP credentials for other web sites Gawker has worked with, includes access to Gawker’s statistics web site, and includes the e-mails of a number of the users who left comments at Gawker as well as users of lifehacker.com, kotaku.com, and gizmodo.com.</blockquote>

I got this mail too - but unlike many, I read Gawker but am not a registered user. Hence, this mail from io looks like spam to me, because they say 'my account it compromised' yet I never had one there. I have a static IP hence I bet they could trace that back to my domain and search my domain's site, then spam my addresses. SO YEAH thumbs up for them letting us know, but they are not as all-knowing as they think they are on the user front.

Lots of other sites in the Gawker network - Lifehacker, io9, Jezebel, Gizmodo, etc. If you're registered on any of 'em, that's how they got your email.

I don't know what is included in "Google applications", but if it's iGoogle or Gmail, that's pretty bad.

By "ping" in mean, if a user has an account and sends data to someone who does NOT have an account on a Gawker affiliate, would this be a way the breach could propagate a recipient's email address? I don't believe I have ever logged into anything in the Gawker network, but obviously don't know how broad that network is. Up to a few minutes ago, I didn't think it included Google.

As far as I can tell, it's only people who have commented on a Gawker site. It's a pretty long list of sites, so there's even a chance that you've done it a long time ago on one and forgotten. It doesn't include Google, though. Some Google apps info for /Gawker employees/ was compromised.

I was writing about this earlier here: http://wp.me/p1dTj0-p.

Part of the problem, aside from it being in the junk folder, is that the subject line very strongly implied that anyone who got this email had an account at hint.io, and that it had been hacked, even though most of us had never heard of this place before today. The whole thing smacked of getting an account update notice from a bank you've never done business with.

It's Internet ambulance chasing, to me. I'm not sure if they actually meant to be helpful but are just inept at it, or if they're of the mind that "any publicity is good publicity" and that people being publicly irritated with them will at least drive traffic to their site (which I'm sure it has).

... then I'm thinking that the Wikileaks stories lead them to believe that being extra open about anything is good publicity right now.

i got an email from them today. but i dont have a gawker account...

Even if they're trying to position themselves as "good samaritans", the links don't just point to hint.io. They're fully encoded with data uniquely identifying the account to which the mail was sent.

Any mail containing uniquely identifiable click links automatically gets a spam tick from me. They're tracking the clicks; there's no other reason for doing it the way they did.

If all spammers were that helpful, I'd gladly read my spam folder everyday.

It's pretty standard procedure for anyone interested in the metrics of their viral marketing to use clicks. Of course, it's viral marketing, and so is the fact that what their product does is not discussed on their websites, so that people like us end up discussing it in places like here.

But they did something useful for me, by warning me quickly of something that could have been potentially very damaging (it wasn't in my case, all of my passwords, including my Gawker commenting password, are isolated). Gawker only JUST sent me an email about it. Right now, I'm certainly more interested in what Hint.io is trying to sell me than in whatever "news" Gawker's blogs are reporting right now.

Hi Everyone. Hi Ruth.

I just wanted to shed some light on why we felt it necessary to warn Gawker users.
----

Before hint, I built a large portion of the authentication and ecommerce systems for WSJ and its extended offerings (http://www.linkedin.com/pub/matt-gagnon/1/825/167). It is very common for people to share credentials across websites. And many of those websites have credit cards or even banking systems tied to them. Any type of data like that contained in the gawker breach moves very quickly online and those interested in this type of data understand its value when connected to other accounts.

You can see a mild example of what I'm talking about here:
http://news.yahoo.com/s/ap/20101213/ap_on_hi_te/us_tec_twitter_worm

We'd like to apologize to those who felt the email was "spammy". However, there was no way for us to determine who on the list would be offended and we felt the potential, down-the-road hassle for others(financial or otherwise) outweighed the immediate inconvenience of an extra email in someone's inbox.

To give you a data point: of the emails we sent, 0.00049% have been indicated as spam.

The links in that email did contain tracking, but they weren't intended as so or malicious. The goal was to get the email out as quickly as possible and some of the software we had at the ready was already coded to add that tracking to the links automatically.

We temporarily stored the emails to notify those affected. All email addresses have been permanently deleted from our system.

If you or anyone has any other questions, feel free to email me at mattgagnon@hint.io

-Matt

http://blog.kamens.us/2010/12/13/the-wrong-way-to-be-a-good-samaritan/

Just out of curiosity, when Hint leaves stealth mode, will it be competing with Gawker Media?

Matt--Thanks for coming over to clarify the Hint POV. But why did you choose to send it from Hint instead of from, "Hi, I'm Matt Gagnon, and here's what happened and why I'm sending this"? I assume the answer is that it was an opportunity to put the name of your new project in front of a ton of people very quickly, unless this sort of thing will be Hint's purpose.

And of course, if that was the intention, it worked--I have to admit, I am quite curious to see what Hint turns out to be, beyond the vague description that's there.

How can anyone be interested or even remotely curious in a website after they pull something like this?

@Jonathan Kamens: We will not be competing with Gawker Media or any of its sibling properties.

Ruth- Admittedly we wrote the email very quickly as we could already see the data being widely distributed across the web. In retrospect, having received lots of feedback from the internet community, we would have phrased the email differently.

I can't say much about Hint as it's still in private beta, and likely will be for a couple more months, but the problem we're solve is somewhat related: how do we make sure information that we need to know gets to us when we need to know it.

I started getting the strange email saying that since gawker was compromised, that I should change my password at hint.io blah blah blah...I think this whole debacle just hints at a future where we are all given bar codes stamped on our foreheads that web cams read for authentication.

I have no webcam.
Anyway, it would never work. The barcode could be fake, unreadable, or the webcam could be feed with fake imagery.

The whole hint io thing is more than likely a multi level marketing plan, get rich quick plan, selling scam, look at this and buy it scam or buy these goods and become a millionaire in ten days flat by selling this drek to other people scam.

These guys obtained these e-mails addresses from the torrents on pirate bay, then bulk mailed everyone on the lists. What really annoyed me is that the e-mail had tracking links in it. This is not a legitimate business, its scummy scambot spam.

Ruth Seulhe - are you working for these guys because you seem to be defending them a lot.

Its a scam. End of.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 3.0 Unported License.