2 min read

Angry ex-employee blamed for hack of WordPress plugin developer, and email to customers warning of security hole

Graham CLULEY

January 21, 2019

Angry ex-employee blamed for hack of WordPress plugin developer, and email to customers warning of security hole

This weekend, users of the popular WordPress translation plugin WPML (also known as WordPress MultiLingual) received an email from a hacker claiming to expose serious security vulnerabilities in the software that allegedly put the customers’ own websites at risk.

In the mass email, sent from WPML’s own servers, the hacker claimed that two of his own websites had been breached due to “a bunch of ridiculous security holes” in WPML’s code. He went on to warn recipients that their own websites could be at risk.

I’m able to write this here because of the very same WPML flaws as this plugin is used on wpml.org too.

Please take this with the warm recommendation of triple-enforcing your security on websites where you use WPML if you must use it. Make frequent backups and monitor your websites closely. Do not leave sensible information laying around in the database or on the server. Use only WPML components and features that you really need. Or ask for your money back.

In a statement on its website, WPML acknowledged that it had been hacked and that it believed the perpetrator to be a former employee.

However, the company disputed the hacker’s claim that there were security holes in the WPML WordPress plugin, and instead claimed that the attacker had accessed its infrastructure by using an old SSH password and backdoor that he had left for himself whilst he worked for the firm.

Even if that’s true, there’s still cause for some concern. After all, if a hacker was able to mass-mail up to 600,000 customers from WPML’s own systems, it’s easy to imagine how a more maliciously-minded attacker might use the same capabilities to send out a phishing campaign or malicious links designed to infect users’ computers.

Another nightmare scenario would be if the widely-used plugin’s code was tampered with by an attacker, potentially putting thousands of other websites at risk of exploitation. WPML says that it has verified its plugin’s code has not been compromised.

However, WPML does admit that the alleged ex-employee did manage to steal the names and email addresses of customers, send an unauthorised email on WPML’s behalf, deface WPML’s online store, and publish a bogus blog post containing the same content as the email.

The company says that in response to the attack it has rebuilt its website and ensured that access to administrator accounts is now controlled by two-factor authentication (2FA). Furthermore, WPML says that it has “minimized the access that the web server has to the file system.”

WPML further underlined in its advisory that no payment information had been compromised, and that the popular WordPress plugin does not contain a vulnerability. Customers have been advised to reset their passwords.

From the sound of things, WPML may have a pretty strong idea of the identity of its hacker. One would anticipate, therefore, it is going to share their information with law enforcement so a proper investigation into the data breach can take place.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Supply Chain Attack Detected in PyPI Library Supply Chain Attack Detected in PyPI Library
Silviu STAHIE

August 02, 2021

1 min read
Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel
Filip TRUȚĂ

August 02, 2021

3 min read
Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million
Graham CLULEY

July 30, 2021

2 min read