
WP Engine Security Breach: Customer Credentials Exposed - DavidPP
https://wpengine.com/support/infosec/
======
rmdoss
I will just add it here: It happens all the time.

Unfortunately, most hosting companies don't go public and warn their users.
They try to hide and hope nobody else finds out.

Glad to see them going public, warning their users and doing the right thing.

~~~
gist
"Glad to see them going public, warning their users and doing the right
thing."

Let me ask you something - what do you see as the benefit to going public vs.
not "doing the right thing". I mean that by airing dirty laundry you also run
the risk of losing customers. Are you sure that the goodwill earned by doing
this outweighs the downside of airing your dirty laundry? [1]

[1] I am remembering a time long ago when a business owner told me about
something personal that an employee told them. The business owner said "that
was stupid that they told me that, so I fired them". This idea that all people
in the world view things as generously as you might most likely hasn't been
proven out in research (I am guessing..)

~~~
2close4comfort
How bad is your security? You have a responsibility to tell people. If you own
it and you suck at what you do people should know that too. It is the right
thing to do.

~~~
gist
Responsibility doesn't pay for the high cost of healthcare, taxes or the rent.
Sometimes it's important to be practical for survival purposes. Not every
business out there operates with other people's money or with such gross
profitability that they can just afford to have "responsibility" and "do the
right thing".

~~~
2close4comfort
Respect is a personal trait not a business trait either you have it or you
don't. If you want to make money fine but chances are if that is your focus
you are not going to have quality people you need anyway you will have the
ones' you want to afford.

------
jqueryin
The blog post is rather lackluster in details. There's no word on severity or
the password hashing algos used. Anybody have any updates regarding these?

------
AustinG08
You think they would notify customers. I have a site hosted with them and not
a peep, just an invalid password notification when I try to log in.

Edit: just saying, I think it's strange that I'm finding out about it via HN
first.

~~~
alex_doom
They emailed everyone who ever had a login. I got an email about it and I was
only added as a user to help manage an install 2 years ago.

~~~
AustinG08
I maintain that I never received an email from them. Not in spam or otherwise.

~~~
martin-adams
Depending on the timeframe and how many customers they need to email, they do
need to stagger sending otherwise they can be blacklisted.

TalkTalk (UK ISP) got public backlash for using the media to announce their
compromise via the media before notifying customers by email. The CEO said,
the media was the quickest way as sending that many emails would take days.

~~~
AustinG08
I suppose that makes sense. Still a little disconcerting that I haven't
received one yet.

------
josefresco
Posted update with new information:

"Our investigation is still actively in progress. We share your frustration
that we cannot provide answers to many of your questions. However, because
this is an active, on-going investigation, including federal law enforcement,
we are limited in what we can share at this time."

------
reustle
I haven't used WPE in a while, but which of these passwords are generated by
them, and which are entered by me? It sounds like the "User Panel" would be my
personal account password. Is this being stored in plain text in their
database?

~~~
josefresco
When you create an install, the system creates a WP admin account, and then
has you reset the password using WP's built in password reset function. Any
installs with an active "original" admin account need to be updated.

Your customer portal password (used to access all your intals/billing etc.)
will also need to be reset.

------
josefresco
Just got this from support, in regard to password invalidation:

"We are still in the process of invalidating the passwords in phases. This
process will be running throughout the day, and your passwords will be
invalidated."

------
Learn2win
I have asked WP Engine many times to add two factor authentication; I hope
they will learn a lesson from it.

------
ashpriom
Well, as of now I can't use port 22 and also phpMyadmin. There is no official
update on that.

