Did you recently find that a stunning number of your Twitter friends spent their weekends discovering the miracles of acai berry? In short, Gawker Media account information was compromised this weekend, and the first place the information was put to use was a mass attack of Twitter spam.
The BBC and Mashable have that side of the story covered, though. What I'm interested in is how Gawker (which includes Jezebel, Gizmodo, Lifehacker, Deadspin, and io9, among other sites) handled it. Spoiler alert: It wasn't with openness and transparency.
This morning I got an email from hint.io telling me that my Gawker account had been compromised. I very nearly ignored it as phishing. From the screenshot at the top of this post, you can probably see why. All three of the links in it, including the one to the Forbes article, link to the hint.io domain, which I'd never heard of. Googling the domain name mostly resulted in other people on message boards discussing it. The site itself has only a vague description of what it is and says that it's in beta.
But it is in fact, a legitimate email, for certain definitions of legitimate.
A legitimate email that should have come from Gawker. They have finally posted a brief apology and a FAQ, neither of which mention hint.io (presumably because they have nothing to do with each other). And as far as I can tell, Gawker still hasn't sent out emails to the compromised accounts themselves, although the FAQ suggests that they're "in the process of notifying those users."
So what of hint.io, then? It appears to be the tool for a group that took matters into their own hands after Gawker opted to leave its users in the dark. TNW (The Next Web) calls them "good Samaritans." But at least one commenter there thinks that those sending the emails are as bad as those who compromised the accounts to begin with, since they're using the compromised data to sent the alerts.
As one of the recipients, I disagree. I'm thankful for their transparency where Gawker was unwilling. The data has been released. That can't be changed. But they've used it for good, not evil. Or at least as an effort to help prevent more evil.
What do you think? Is using the data to promote transparency acceptable? Or equally unethical?
Edit: Read this newer Forbes blog post for even more on Gawker's complete lack of transparency when it comes to users' security, which goes back at least a month.