Gawker and being proactive about online security
The massive Gawker security breach, in which both the user account data and source code was downloaded and released on the internet, seems like a pretty major and negative event. All users' email and password hash were dumped, and those accounts using weak passwords had the password hash brute-forced to expose the plain-text password. Extra annoying: this is for all site using the Gawker Comment system, not only for the main site - so if you ever left comments on a sites like Gizmodo, Lifehacker, Kotaku, io9 and Jalopnik, your account is part of the compromised data. As spammers got their data on the list, you should have already noticed a significant increase in the amount of SPAM that gets into your inbox on main providers such as Gmail.
An embarrassing event for Gawker for sure, but a something positive can come out of it - bringing awareness to using the same weak password on more than one sites, and a chance to provide lessons in online security to educate users regarding the pitfalls and the best practices to avoid them. By this time you all know the drill, if you used the same password on other sites start by changing those passwords first, then proceed by changing all of your passwords to unique, high-strength passwords. There are many password manager software packages out there that have excellent built-in high-strength password generators, or you can just make up your own long passwords by combining mixed-case letters, numbers and punctuation.
You would think this pretty much covers it, and there's not much else to be done. However, one site out there has gone the extra mile and gets the extra credit in recognition for their forward thinking regarding their users' online security. That site is LinkedIn. Earlier today they disabled all the accounts that were compromised by the Gawker security breach and required all users to reset their password. Initially there was no explanation for it, choosing to simply say "We have recently disabled your account for security reasons." Most people put 2 & 2 together, and about 10 hours later around 6 PM EST LinkedIn emailed out this official statement:
[...] This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members. There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password. [...]
A minor technical flaw is that they allow users to use the old password when setting the new password. While this may be as-intended, I can see a problem with it: when people got the original notice which did not tell them why they were asked to reset their passwords, some could have been annoyed and used the same old password. Had they known why they were asked to reset their password, they would probably have been more likely to use a different password.
Regardless, this is a commendable effort on LinkedIn's side, and I both hope and encourage more online businesses to follow in their footsteps. This of course means that LinkedIn's software engineers likely downloaded the Gawker torrent, but unlike the other guys who did the same, they used it for good!