CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 14th, 2011

Multiple WordPress.com Servers Hacked, Confidential Code, Private Data Stolen

The company that maintains the WordPress.com blogging platform said hackers gained root access to its servers and made off with sensitive code belonging to it and its partners.

Wednesday’s advisory from Automattic is the latest to detail a breach on a company entrusted to keep customer information private. The company, which serves about 18 million publishers, said employees are still determining exactly what data was stolen, but the initial assessment didn’t look good.

“Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed,” the company’s founder, Matt Mullenweg, wrote. “We presume our source code was exposed and copied. While much of our code is open source, there are sensitive bits of our and our partner’s code. Beyond that, however, it appears information disclosed was limited.”

In the comments section to his post, Mullenweg said there’s no evidence that passwords were exposed, “and even if they had they’d be difficult to crack.” He advised users to change their passwords anyway, especially if the same one is used in two or more places. WordPress passwords are hashed and salted using the Portable PHP password hashing framework, he added.

Mullenweg didn’t say how hackers were able to root multiple servers belonging to his company but said it has “taken comprehensive steps to prevent an incident like this from occurring again.”

Automattic joins companies including RSA Security, Epsilon, and an unnamed reseller of SSL certificate authority Comodo in admitting to breaches that put its customers at risk. So far, there’s little public evidence about who is responsible for the hacks.

With about 12 percent of websites running WordPress, the platform has long been a target of hacks. In 2009, a spam-friendly worm attacked older installations of the program, including that of tech blogger Robert Scoble, who lost two months of blog entries as a result. It was the second time that year that his blogging software had been exploited.

More recently, WordPress.com came under a massive denial-of-service attack that made it impossible for many of its users to publish their content.

Source code stored on Automattic’s servers includes API keys and Twitter and Facebook passwords that can used to gain access to sensitive information, TechCrunch said.

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • US Government Contractor ManTech Hacked, Confidential Documents Stolen And Posted Online
  • Hacker Published Confidential Records Belonging To Six Million Chileans On The Internet
  • Students And Staff Are Affected By Stolen University of Virginia Laptop
  • Cotton Traders Clothing Firm Customers Credit Card Details Stolen From Hacked Website
  • Data From 56 Law Enforcement Agencies Stolen By Antisec, 10GBs Of Emails From 300 Accounts Posted Online

    • Posted in Breaches And Incidents, Cybercrime, Data Theft, Hacked, Privacy, Targeted Attacks | Print This Post Print This Post

    This entry was posted on Thursday, April 14th, 2011 at 7:35 am and is filed under Breaches And Incidents, Cybercrime, Data Theft, Hacked, Privacy, Targeted Attacks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Multiple WordPress.com Servers Hacked, Confidential Code, Private Data Stolen

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »