WP Engine Security Breach: Customer Credentials Exposed (opens in new tab)

(wpengine.com)

62 pointsDavidPP10y ago27 comments

27 comments

23 comments · 8 top-level

rmdoss10y ago· 7 in thread

I will just add it here: It happens all the time.

Unfortunately, most hosting companies don't go public and warn their users. They try to hide and hope nobody else finds out.

Glad to see them going public, warning their users and doing the right thing.

gist10y ago

"Glad to see them going public, warning their users and doing the right thing."

Let me ask you something - what do you see as the benefit to going public vs. not "doing the right thing". I mean that by airing dirty laundry you also run the risk of losing customers. Are you sure that the goodwill earned by doing this outweighs the downside of airing your dirty laundry? [1]

[1] I am remembering a time long ago when a business owner told me about something personal that an employee told them. The business owner said "that was stupid that they told me that, so I fired them". This idea that all people in the world view things as generously as you might most likely hasn't been proven out in research (I am guessing..)

scarecrowbob10y ago

The benefit is that I feel better about the other years in which nothing like this has happened: it (possibly) means that things didn't happen and not just that I didn't hear about it.

Whereas if I never hear about stuff (or worse, I discover stuff way after the fact) then I don't have much of a basis for knowing if there is any system at all.

For instance, I don't mind getting a spam email or two when I open my email box in the morning, because then I am sure that it's working :D

I don't know how sound or rational that feeling is, but I understand it.

2close4comfort10y ago

How bad is your security? You have a responsibility to tell people. If you own it and you suck at what you do people should know that too. It is the right thing to do.

gist10y ago

Responsibility doesn't pay for the high cost of healthcare, taxes or the rent. Sometimes it's important to be practical for survival purposes. Not every business out there operates with other people's money or with such gross profitability that they can just afford to have "responsibility" and "do the right thing".

1 more reply

mrbluesman10y ago

Got proof to support those claims?

rtehfm10y ago

Several years ago I worked at a hosting company that was compromised via external and internal actor. The external actor used a vulnerability of WHMCS (one of many available, at the time).

To this date, the breaches were not disclosed publicly.

phzpw10y ago

Lol, I worked at the same company when this happened.

AustinG0810y ago· 7 in thread

You think they would notify customers. I have a site hosted with them and not a peep, just an invalid password notification when I try to log in.

Edit: just saying, I think it's strange that I'm finding out about it via HN first.

josefresco10y ago

I was notified with two separate emails. I subscribe to their security posts (https://wpenginestatus.com/latest-security-update/), and got a separate customer email 12 hours ago informing me of the issue.

alex_doom10y ago

They emailed everyone who ever had a login. I got an email about it and I was only added as a user to help manage an install 2 years ago.

AustinG0810y ago

I maintain that I never received an email from them. Not in spam or otherwise.

martin-adams10y ago

Depending on the timeframe and how many customers they need to email, they do need to stagger sending otherwise they can be blacklisted.

TalkTalk (UK ISP) got public backlash for using the media to announce their compromise via the media before notifying customers by email. The CEO said, the media was the quickest way as sending that many emails would take days.

1 more reply

mynameisvlad10y ago

Well then maybe you should contact them and your email provider and find out why you didn't get the email. From the other comments, you seem to be in the minority on the "finding out about it via HN first" front.

1 more reply

jackgavigan10y ago

Check your spam. I received an email about 12 hours ago (4:40am GMT).

busterarm10y ago

They notified us at 10PM EST last night.

reustle10y ago· 1 in thread

I haven't used WPE in a while, but which of these passwords are generated by them, and which are entered by me? It sounds like the "User Panel" would be my personal account password. Is this being stored in plain text in their database?

josefresco10y ago

When you create an install, the system creates a WP admin account, and then has you reset the password using WP's built in password reset function. Any installs with an active "original" admin account need to be updated.

Your customer portal password (used to access all your intals/billing etc.) will also need to be reset.

jqueryin10y ago

The blog post is rather lackluster in details. There's no word on severity or the password hashing algos used. Anybody have any updates regarding these?

josefresco10y ago

Posted update with new information:

"Our investigation is still actively in progress. We share your frustration that we cannot provide answers to many of your questions. However, because this is an active, on-going investigation, including federal law enforcement, we are limited in what we can share at this time."

josefresco10y ago

Just got this from support, in regard to password invalidation:

"We are still in the process of invalidating the passwords in phases. This process will be running throughout the day, and your passwords will be invalidated."

Learn2win10y ago

I have asked WP Engine many times to add two factor authentication; I hope they will learn a lesson from it.

ashpriom10y ago

Well, as of now I can't use port 22 and also phpMyadmin. There is no official update on that.

j / k navigate · click thread line to collapse

27 comments

23 comments · 8 top-level

rmdoss10y ago· 7 in thread

I will just add it here: It happens all the time.

Unfortunately, most hosting companies don't go public and warn their users. They try to hide and hope nobody else finds out.

Glad to see them going public, warning their users and doing the right thing.

gist10y ago

"Glad to see them going public, warning their users and doing the right thing."

scarecrowbob10y ago

The benefit is that I feel better about the other years in which nothing like this has happened: it (possibly) means that things didn't happen and not just that I didn't hear about it.

Whereas if I never hear about stuff (or worse, I discover stuff way after the fact) then I don't have much of a basis for knowing if there is any system at all.

For instance, I don't mind getting a spam email or two when I open my email box in the morning, because then I am sure that it's working :D

I don't know how sound or rational that feeling is, but I understand it.

2close4comfort10y ago

How bad is your security? You have a responsibility to tell people. If you own it and you suck at what you do people should know that too. It is the right thing to do.

gist10y ago

1 more reply

mrbluesman10y ago

Got proof to support those claims?

rtehfm10y ago

Several years ago I worked at a hosting company that was compromised via external and internal actor. The external actor used a vulnerability of WHMCS (one of many available, at the time).

To this date, the breaches were not disclosed publicly.

phzpw10y ago

Lol, I worked at the same company when this happened.

AustinG0810y ago· 7 in thread

You think they would notify customers. I have a site hosted with them and not a peep, just an invalid password notification when I try to log in.

Edit: just saying, I think it's strange that I'm finding out about it via HN first.

josefresco10y ago

alex_doom10y ago

They emailed everyone who ever had a login. I got an email about it and I was only added as a user to help manage an install 2 years ago.

AustinG0810y ago

I maintain that I never received an email from them. Not in spam or otherwise.

martin-adams10y ago

Depending on the timeframe and how many customers they need to email, they do need to stagger sending otherwise they can be blacklisted.

1 more reply

mynameisvlad10y ago

1 more reply

jackgavigan10y ago

Check your spam. I received an email about 12 hours ago (4:40am GMT).

busterarm10y ago

They notified us at 10PM EST last night.

reustle10y ago· 1 in thread

josefresco10y ago

Your customer portal password (used to access all your intals/billing etc.) will also need to be reset.

jqueryin10y ago

The blog post is rather lackluster in details. There's no word on severity or the password hashing algos used. Anybody have any updates regarding these?

josefresco10y ago

Posted update with new information:

josefresco10y ago

Just got this from support, in regard to password invalidation:

"We are still in the process of invalidating the passwords in phases. This process will be running throughout the day, and your passwords will be invalidated."

Learn2win10y ago

I have asked WP Engine many times to add two factor authentication; I hope they will learn a lesson from it.

ashpriom10y ago

Well, as of now I can't use port 22 and also phpMyadmin. There is no official update on that.

j / k navigate · click thread line to collapse