I was notified with two separate emails. I subscribe to their security posts (https://wpenginestatus.com/latest-security-update/), and got a separate customer email 12 hours ago informing me of the issue.
Well then maybe you should contact them and your email provider and find out why you didn't get the email. From the other comments, you seem to be in the minority on the "finding out about it via HN first" front.
Depending on the timeframe and how many customers they need to email, they do need to stagger sending otherwise they can be blacklisted.
TalkTalk (UK ISP) got public backlash for using the media to announce their compromise via the media before notifying customers by email. The CEO said, the media was the quickest way as sending that many emails would take days.
Just got this from support, in regard to password invalidation:
"We are still in the process of invalidating the passwords in phases. This process will be running throughout the day, and your passwords will be invalidated."
I haven't used WPE in a while, but which of these passwords are generated by them, and which are entered by me? It sounds like the "User Panel" would be my personal account password. Is this being stored in plain text in their database?
When you create an install, the system creates a WP admin account, and then has you reset the password using WP's built in password reset function. Any installs with an active "original" admin account need to be updated.
Your customer portal password (used to access all your intals/billing etc.) will also need to be reset.
Several years ago I worked at a hosting company that was compromised via external and internal actor. The external actor used a vulnerability of WHMCS (one of many available, at the time).
To this date, the breaches were not disclosed publicly.
"Glad to see them going public, warning their users and doing the right thing."
Let me ask you something - what do you see as the benefit to going public vs. not "doing the right thing". I mean that by airing dirty laundry you also run the risk of losing customers. Are you sure that the goodwill earned by doing this outweighs the downside of airing your dirty laundry? [1]
[1] I am remembering a time long ago when a business owner told me about something personal that an employee told them. The business owner said "that was stupid that they told me that, so I fired them". This idea that all people in the world view things as generously as you might most likely hasn't been proven out in research (I am guessing..)
The benefit is that I feel better about the other years in which nothing like this has happened: it (possibly) means that things didn't happen and not just that I didn't hear about it.
Whereas if I never hear about stuff (or worse, I discover stuff way after the fact) then I don't have much of a basis for knowing if there is any system at all.
For instance, I don't mind getting a spam email or two when I open my email box in the morning, because then I am sure that it's working :D
I don't know how sound or rational that feeling is, but I understand it.
How bad is your security? You have a responsibility to tell people. If you own it and you suck at what you do people should know that too. It is the right thing to do.
Responsibility doesn't pay for the high cost of healthcare, taxes or the rent. Sometimes it's important to be practical for survival purposes. Not every business out there operates with other people's money or with such gross profitability that they can just afford to have "responsibility" and "do the right thing".
Respect is a personal trait not a business trait either you have it or you don't. If you want to make money fine but chances are if that is your focus you are not going to have quality people you need anyway you will have the ones' you want to afford.
The blog post is rather lackluster in details. There's no word on severity or the password hashing algos used. Anybody have any updates regarding these?
If you want to discuss, mail me corey AT pop DOT co. We built on top of the DO API to automatically spin up optimized WordPress droplets based on ansible provisioned base machine snapshots. Bunch of custom stuff in there, but it's not something we were ready to scale as we never opened up SFTP/SSH.
"Our investigation is still actively in progress. We share your frustration that we cannot provide answers to many of your questions. However, because this is an active, on-going investigation, including federal law enforcement, we are limited in what we can share at this time."
28 comments
[ 3.5 ms ] story [ 68.4 ms ] threadEdit: just saying, I think it's strange that I'm finding out about it via HN first.
TalkTalk (UK ISP) got public backlash for using the media to announce their compromise via the media before notifying customers by email. The CEO said, the media was the quickest way as sending that many emails would take days.
"We are still in the process of invalidating the passwords in phases. This process will be running throughout the day, and your passwords will be invalidated."
Your customer portal password (used to access all your intals/billing etc.) will also need to be reset.
Unfortunately, most hosting companies don't go public and warn their users. They try to hide and hope nobody else finds out.
Glad to see them going public, warning their users and doing the right thing.
To this date, the breaches were not disclosed publicly.
Let me ask you something - what do you see as the benefit to going public vs. not "doing the right thing". I mean that by airing dirty laundry you also run the risk of losing customers. Are you sure that the goodwill earned by doing this outweighs the downside of airing your dirty laundry? [1]
[1] I am remembering a time long ago when a business owner told me about something personal that an employee told them. The business owner said "that was stupid that they told me that, so I fired them". This idea that all people in the world view things as generously as you might most likely hasn't been proven out in research (I am guessing..)
Whereas if I never hear about stuff (or worse, I discover stuff way after the fact) then I don't have much of a basis for knowing if there is any system at all.
For instance, I don't mind getting a spam email or two when I open my email box in the morning, because then I am sure that it's working :D
I don't know how sound or rational that feeling is, but I understand it.
"Our investigation is still actively in progress. We share your frustration that we cannot provide answers to many of your questions. However, because this is an active, on-going investigation, including federal law enforcement, we are limited in what we can share at this time."