Email addresses filched from Gawker, McDonald’s, Walgreen

Spammers must have been licking their lips after hearing about the recent data breaches at Gawker, McDonalds and Walgreen.  They can’t wait for the millions of email addresses–as well as account passwords, usernames and cell phone numbers–filched by hackers to make it into their hands. Fortunately, more sensitive data, such as Social Security, bank account and credit card numbers, weren’t compromised in the raids.

The assaults were launched the weekend of December 10-12. On Friday, Walgreen started notifying its customers that they may start to see email messages in their inboxes directing them to websites that will try to personal information from them. Why were the drugstore chain’s customers suddenly such a popular target for phishers? Its email list had been compromised, it explained. No customer names were captured by the intruders nor was any customer prescription information.

By Monday, both McDonalds and Gawker Media–which operates a number of websites, including Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, Io9 and Fleshbot–also discovered they’d been hacked.

In McDonalds’ case, it had hired an outside contractor to handle its email promotions. That contractor, in turn, hired someone else to manage the email list for the promotions. It was that company’s systems that were penetrated allowing information that might have included customers’ names, mobile phone numbers, postal addresses and email addresses to fall into the hands of net bandits.

Gawker, too, confessed its systems had been hacked and the web sappers had stolen the usernames and passwords of people who had registered at the company’s websites. The information was encrypted, it said, but still vulnerable. It urged its users to change their paswords to be safe. One of Gawker’s concerns was that  a user’s password could be used to access multiple sites. That’s because it’s common for many users to use a password repeatedly rather than try to juggle scores of them in their heads.

It has been reported that emails and passwords of 1.3 million registered users of the Gawker sites were published on the Internet. Why was Gawker singled out? Apparently for its hubris. In July, hackers from 4chan.org mounted a number of denial of service attacks (DDoS) against Gawker. (A 4chan splinter group calling itself Anonymous recently mounted similar attacks against Visa and Mastercard  in retaliation for those credit card companies choking off contributions to Wikileaks.) Gawker foiled the 4chan offensive, but it wasn’t content with that. It taunted the posse at 4chan with boasts about the strength of their systems to withstand DDoS assaults. Gawker’s bravado irked an ad hoc group of net activists calling themselves Gnosis, who engineered the latest intrusion on Gawker’s systems. The group told the Mediaite website, “We went after Gawker because of their outright arrogance.”

As any security pro will tell you, no system is 100 percent secure. If an attacker has the resources and perseverance to do so, they will find a way to penetrate a company’s defenses. That said, if you can stay off the cracking community’s radar screen, the kind of resources needed to penetrate your systems won’t likely be marshaled to do so. So crowing about the invincibility of your system defenses as Gawker did, probably wasn’t such a brilliant idea.

As Daniel Kennedy perceptively pointed out in a security column written for Forbes, 

          “antagonizing the population of would be attackers at large can serve as a motivation for them to expend the time necessary to find a way into a system.”

“[C]laiming publicly that something is unhackable is usually a good way to find out that it is,” he continued. “Making unnecessary statements of bravado, statements potentially divorced from reality, changes the equation for an attacker, it suddenly makes compromising your environment worth more of his or her time.”

“Put another way, thumbing your nose at an entire world’s population of crackers is usually a lousy idea,” he added.

While the Gawker breaches could be pinned on a group, the sources behind the McDonalds and Walgreen attacks remain anonymous. However, the assaults may be linked to a spear phishing campaign directed at email service providers that’s been going on for several months.  The source of the McDonalds breach, for example, has been pegged to an email list manager working for Arc Worldwide, which is the same company Walgreen named as its promotion marketing agency of record in 2009 .

Both McDonalds and Walgreens have been mum about identifying the company or companies compromised by the hackers, but the FBI is investigating connections between the latest breaches and others at more than 100 businesses. That means we can expect more revelations about these break ins in the coming weeks.