42 comments

[ 2.2 ms ] story [ 112 ms ] thread
That is a very good question, I am sure Gawker has its hands full trying to fix their leak and make sure that all its employees change their PW first.
Not a total excuse, but they don't have email addresses for all their users (it wasn't a required field).
select * from users where email <> '' and email is not null
I assume you have never had to send email to hundreds of thousands of people with short notice. There are many ways to get banned in very short order. The typical route is to use a third party service, but they are almost without exception set up to not accept a large non opt-in list for immediate mailing.
Either you replied to the wrong comment or you're not familiar with database queries?
I'm perfectly familiar with database queries, but pulling a list of email addresses doesn't do anything. The problem is what you do when you have the list of email addresses.
Might just be trying to underplay it and hope it blows over?
I think they gave up on that a while ago.
They answered:

"We are in the process of sending out emails to all ~1.5m users affected. Unfortunately, sending out that many emails is not a simple process."

I think MailChimp/Campaign Monitor/SendGrind should be able to handle a 1.5M volume quite nicely.

Indeed, sending 1.5m emails is not a problem. not even close to.
It is when you have never emailed the list before and don't have a relationship with a mailing service to do it on your behalf. Not a lot of firms like people walking up with a 1.5m non opted in list that you want to send to immediately.
Their MailChimp API key was hardcoded into their source, so I think they've got an established relationship.
I bet they will get blacklisted on google yahoo and hotmail before they are done. That's a lot of email.
I've often wondered how companies such as the ones listed in another comment (MailChimp, Campaign Monitor, SendGrind) avoid being banned, or any company that sends a large amount of mail. Is something that just requires you to build up reputation over time?
It's a multi stepped process: use different IPs for different clients, warm up the IPs to build good reputation, actively work with ISPs to whitelist the IPs, enroll in loopback programs with the ISPs, carefully monitor spam complaint and bounce rates, etc.

Sending a large amount of email to a well established list can actually help your reputation, since the ISPs see that you send large numbers of emails that don't get reported as span -- that makes the (hopefully) few that do not affect your reputation as much.

Preparing, negotiating, and generally trying to avoid this may be what's taking the longest.

FWIW, my password reset email was sent via Gawker side-project kinja.com. Curious.

My email from teamhint was in my Gmail spam folder.

If there weren't a nugget of truth in this, this phrase from the email would actually be hilarious:

"We HIGHLY recommend you change all of your online passwords as a precaution."

Thankfully my Gawker password was limited to a few sites of no worth and you can't deduce any of my other ones form it.

There's a little bit of scaremongering in that sentence though. Why change your other passwords, UNLESS your Gawker password was your email password too? After 19 years on the Internet, I have a lot of logins.

OpenID ain't looking too bad now, is it?

Well hey, cut them a little slack. They shouldn't have to account for the computer security diaspora.
(comment deleted)
Then why did I get a (spammy) warning from teamhint@hint.io last night?

It would seem to be possible for Gawker to notify their users more quickly.

Sorry for the spam. Truly not our intentions. We've already deleted the email addresses from our database.
my apologies for the sharp rhetoric, i only meant to say that SOMEone was able to get the notice out right quick. i think it's great that you guys did that, seriously, but i think it was a mistake to forget what the click?Hash idiom is typically used for.

and really, your actions kinda put a lie to gawker's sloth, so extra props for that.

Yes, that was our mistake. Sendgrid did that automatically for analytics purposes, and I thought it was kind of lame once I found out after the fact.
No biggie. It wasn't actually spam so no harm no foul. You did good.
I got a notice from teamhint, very pleased as I wasn't sure which email I used for posting to Gawker/Valleywag. I then changed my main logins under that email.
Does anyone even know what hint.io does?

The links in their "Your account has been compromised" lead me to a login page for the beta site, which of course I don't have an account for.

Very odd to advertise for a site which then the "users" can't use.

"Unfortunately, sending out that many emails is not a simple process."

If Gawker needs help, they can let us know. We finished updating their users ~ 10 hours ago.

http://thenextweb.com/media/2010/12/13/digital-good-samarita...

All 1.5m? I didn't receive anything.
No, not all 1.5MM are publicly available.
EDIT: I did in fact get the email, but gmail is classifying as spam, FYI.
So why did you feel the need to embed tracking images into that email?
I'm not sure if you guys have dealt with ISP blacklists before, but I think there is a good chance hint.io will never be able to reliably reach an inbox again. Sending emails to white-listed addresses is hard enough to get right, let alone sending to 1.5 million arbitrary email addresses.
It takes a special kind of entrepreneur to knowingly use a list of hacked email addresses to promote their own service.

"Nice Job" hint.io.

It ended up in everyone's spam folders for a reason.

Jeff,

Knowing that we've saved tons of people's accounts from being vulnerable while Gawker sat back and did nothing is what I would call a nice job.

Cheers,

Dru

Being Gawker, I'm sure they'll CC every one of their users in the e-mail.
Jesus. I just happened to check the reset password with my email address and found out that I do have an account. I have no idea what my password was, now I have to reset everything just to be safe.
I did the same thing -- so I went and d/l'ed the torrent last night to find what my password had been.

What a weird world we live in.

The good thing is that the password is reset to a random string when you click "send password", so no further action is necessary if you don't read Gawker anymore.
except now you can't tell if you used one of your "standard" passwords or not, so you have to reset your passwords on every web site you've ever used. Instead of "reset your password", try logging in with your standard passwords, and hope that nothing works.
True, and I'm finding myself trying to account for every site I've used the same email address. Impossible, thanks Gawker (and me).
It's unfortunate that they still have no way to delete your account, because I wanted to delete mine a year ago and I'm sure they would have a lot fewer emails to send out.