wordpress WordPress Hosting Service WP Engine Announces Data Breach UPDATE

[vissha]

WordPress Hosting Service WP Engine Announces Data Breach UPDATE

 

 

Company resets passwords for all clients, just to be safe

 

Quote

WP Engine, a US-based hosting provider for WordPress-powered sites, has just announced a data breach, during which some of its clients' credentials were exposed.

 

"We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials," reads the WP Engine announcement. "Out of an abundance of caution, we are proactively taking security measures across our entire customer base."

Ongoing investigation, too early for details

 

The company has no technical details about the incident at this moment, and an investigation was started to uncover the source of the leak.

 

WP Engine has also started resetting passwords for all of its customers. WP Engine clients usually have different passwords associated with each account.

 

The company did not reveal which credentials were leaked, but for precaution is resetting five of them. These are the WP Engine User Portal password, SFTP password, the original WP-Admin account password, the passwords for password-protected installs and transferable installs. All users will be prompted to changes these passwords when they try to login the next time.

 

The password for their WordPress database has also been changed, but there's no user interaction for this one, WP Engine being able to change this one without user input.

Rumors place the incident at around 30K customer accounts

 

Online rumors say that around 30,000 WP Engine accounts were compromised in the incident. These are unconfirmed. Softpedia has contacted WP Engine for confirmation.

 

The last user tally provided by WP Engine a few years back said the company had 40,000 customers. If the 30K figure is confirmed this would mean the hackers managed to steal details on three quarters of WP Engine's client portfolio.

 

Most of the times, a data breach occurs due to SQL injections, malware infections, or insider threats.

 

As you can imagine, customers were not happy.

 

@wpengine What's with the lack of 2FA? — Jordan Felle (@jordanfelle) December 10, 2015

 

UPDATE: WP Engine has issued an official statement about the incident to Softpedia. Due to an ongoing investigation and law enforcement involvement, the company cannot disclose how many accounts were affected at this point. It appears that the 30K rumor is based on false information.

 

WP Engine Statement:

Spoiler

Our investigation is still actively in progress. We share your frustration that we cannot provide answers to many of your questions. However, because this is an active, on-going investigation, including federal law enforcement, we are limited in what we can share at this time.

 

We are acting quickly and on the side of caution and we sincerely apologize for the inconvenience this has caused. 

We became aware of the exposure yesterday, December 9th. Our team immediately took steps to mitigate the exposure, including:

• We contacted all of our customers to take immediate action to change their credentials (if you have not yet changed your credentials, please do so immediately according to the instructions below) 
• We engaged a leading cyber security firm to help our Security Team investigate the exposure
• We notified Federal law enforcement

We want to share information with you as soon as it is available and appropriate to share, rather than wait until all the facts are known. We believe this is the right thing to do even though it creates additional frustration as not all information is known. Updates will continue to be posted at http://wpengine.com/infosec

 

Source