Feeds

WordPress.com hack exposes confidential code

Multiple servers rooted

SANS - Survey on application security programs

The company that maintains the WordPress.com blogging platform said hackers gained root access to its servers and made off with sensitive code belonging to it and its partners.

Wednesday's advisory from Automattic is the latest to detail a breach on a company entrusted to keep customer information private. The company, which serves about 18 million publishers, said employees are still determining exactly what data was stolen, but the initial assessment didn't look good.

“Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed,” the company's founder, Matt Mullenweg, wrote. “We presume our source code was exposed and copied. While much of our code is open source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.”

In the comments section to his post, Mullenweg said there's no evidence that passwords were exposed, “and even if they had they'd be difficult to crack.” He advised users to change their passwords anyway, especially if the same one is used in two or more places. WordPress passwords are hashed and salted using the Portable PHP password hashing framework, he added.

Mullenweg didn't say how hackers were able to root multiple servers belonging to his company but said it has “taken comprehensive steps to prevent an incident like this from occurring again.”

Automattic joins companies including RSA Security, Epsilon, and an unnamed reseller of SSL certificate authority Comodo in admitting to breaches that put its customers at risk. So far, there's little public evidence about who is responsible for the hacks.

With about 12 percent of websites running WordPress, the platform has long been a target of hacks. In 2009, a spam-friendly worm attacked older installations of the program, including that of tech blogger Robert Scoble, who lost two months of blog entries as a result. It was the second time that year that his blogging software had been exploited.

More recently, WordPress.com came under a massive denial-of-service attack that made it impossible for many of its users to publish their content.

Source code stored on Automattic's servers includes API keys and Twitter and Facebook passwords that can used to gain access to sensitive information, TechCrunch said.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.