WordPress Security Provider Leaks Client Passwords
Web Services
iThemes, a content management system security plugin and training provider, has taken responsibility for being complicit in exposing its customers’ information.
After noticing some suspicious activity on a server, iThemes uncovered a significant breach of its membership database. That happens to companies, including tech companies, every day. But what happened next was unusual for a tech company.
“There is no easy way to say this: We were storing your passwords in clear-text. This directly impacted approximately 60,000 of our users, past and current,” iThemes founder Cory Miller said in a blog post.
“Clear-text” passwords are not protected -- not scrambled into meaningless code the way that so-called encrypted passwords are. If a hacker obtains clear-text, aka plain text, data then it is legible and usable.
Cyber researchers at Tripwire were apoplectic that a company that advises clients on Wordpress password protection failed to protect its clientbase’s passwords.
“It’s petrifying to think that a technology company is actually storing passwords in plaintext in this day and age, despite the constant news headlines of security breaches and hacks. What makes it even more jaw-dropping is that iThemes actually works in the security field,” Tripwire reports. “The sad truth is that it doesn’t matter how strong the passwords are if your website gets hacked and the passwords have been stored in plaintext.
Miller seemed to recognize the gravity of this security faux pas. “As the founder and CEO, the leader of this company, I want you to know: the buck stops with me and me alone. At the end of the day, I am responsible for our company, iThemes, and the work we do. I’ve often tried to defer credit for the great work we’ve done to our team, but as for the mistakes we make, that credit belongs solely to me.”
According to the company, it’s possible the attackers might be able to glean customer passwords, IP addresses, names of products purchased, access times and payment receipt information – but no other payment data.