from Hacker News

WP Engine Security Breach: Customer Credentials Exposed

by DavidPP on 12/10/15, 3:51 PM with 27 comments

by rmdoss on 12/10/15, 5:00 PM
I will just add it here: It happens all the time.
Unfortunately, most hosting companies don't go public and warn their users. They try to hide and hope nobody else finds out.
Glad to see them going public, warning their users and doing the right thing.
by jqueryin on 12/10/15, 5:13 PM
The blog post is rather lackluster in details. There's no word on severity or the password hashing algos used. Anybody have any updates regarding these?
by AustinG08 on 12/10/15, 4:05 PM
You think they would notify customers. I have a site hosted with them and not a peep, just an invalid password notification when I try to log in.
Edit: just saying, I think it's strange that I'm finding out about it via HN first.
by josefresco on 12/10/15, 9:20 PM
Posted update with new information:
"Our investigation is still actively in progress. We share your frustration that we cannot provide answers to many of your questions. However, because this is an active, on-going investigation, including federal law enforcement, we are limited in what we can share at this time."
by reustle on 12/10/15, 4:10 PM
I haven't used WPE in a while, but which of these passwords are generated by them, and which are entered by me? It sounds like the "User Panel" would be my personal account password. Is this being stored in plain text in their database?
by josefresco on 12/10/15, 4:06 PM
Just got this from support, in regard to password invalidation:
"We are still in the process of invalidating the passwords in phases. This process will be running throughout the day, and your passwords will be invalidated."
by Learn2win on 12/10/15, 5:46 PM
I have asked WP Engine many times to add two factor authentication; I hope they will learn a lesson from it.
by ashpriom on 12/10/15, 9:36 PM
Well, as of now I can't use port 22 and also phpMyadmin. There is no official update on that.