
WPENGINE Customer Credentials Exposed - artur_makly
Just got this in my inbox :<p>At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.<p>We have begun an investigation, however there is immediate action we are taking. Additionally, there is action that requires your immediate attention.<p>While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account. This means you will need to reset each of them. Instructions for how to reset these passwords are at the bottom of this email.<p>WP Engine User Portal
WordPress Database
SFTP
Original WP-Admin Account
Password Protected Installs and Transferable Installs
As a security best practice we also recommend, if you use this password elsewhere with other applications, that you change and update those passwords as well.<p>We apologize for any inconvenience this event may have caused. We are taking this exposure as an opportunity to review and enhance our security, and remain committed to strong internal security practices and processes.<p>We take the security of our customers very seriously. Should you have any questions after resetting your User Portal password, please feel free to contact the WP Engine support team or simply reply to this email. You may also obtain more information about this event by visiting http:&#x2F;&#x2F;wpengine.com&#x2F;infosec<p>Sincerely,
The WP Engine Team
======
josefresco
For those of us with many installs, this is painful. Hundreds of password
updates, each requiring documentation, not to mention informing the clients.

~~~
artur_makly
i feel like an idiot now as i have been touting them to clients for years
about their 'built-from-the-ground' WP security fortress. But this just proves
there really really is no bulletproofing.

At the very least they should create a 1 page form you can just recreate all
passwords on en-masse.

~~~
atmosx
I didn't knew they even existed, but what exactly do you expect? No one is
impenetrable, not even CERN.

What you have to ask is: Are you happy with their response
<time,attitude,etc.>. If yes then you should keep the faith, if no move on.

