Feeds

WordPress.com hack exposes confidential code

Multiple servers rooted

SANS - Survey on application security programs

The company that maintains the WordPress.com blogging platform said hackers gained root access to its servers and made off with sensitive code belonging to it and its partners.

Wednesday's advisory from Automattic is the latest to detail a breach on a company entrusted to keep customer information private. The company, which serves about 18 million publishers, said employees are still determining exactly what data was stolen, but the initial assessment didn't look good.

“Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed,” the company's founder, Matt Mullenweg, wrote. “We presume our source code was exposed and copied. While much of our code is open source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.”

In the comments section to his post, Mullenweg said there's no evidence that passwords were exposed, “and even if they had they'd be difficult to crack.” He advised users to change their passwords anyway, especially if the same one is used in two or more places. WordPress passwords are hashed and salted using the Portable PHP password hashing framework, he added.

Mullenweg didn't say how hackers were able to root multiple servers belonging to his company but said it has “taken comprehensive steps to prevent an incident like this from occurring again.”

Automattic joins companies including RSA Security, Epsilon, and an unnamed reseller of SSL certificate authority Comodo in admitting to breaches that put its customers at risk. So far, there's little public evidence about who is responsible for the hacks.

With about 12 percent of websites running WordPress, the platform has long been a target of hacks. In 2009, a spam-friendly worm attacked older installations of the program, including that of tech blogger Robert Scoble, who lost two months of blog entries as a result. It was the second time that year that his blogging software had been exploited.

More recently, WordPress.com came under a massive denial-of-service attack that made it impossible for many of its users to publish their content.

Source code stored on Automattic's servers includes API keys and Twitter and Facebook passwords that can used to gain access to sensitive information, TechCrunch said.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.