EllisLab Tells Users to Change Passwords After its Web Host Discovers Security Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thewhir.com/web-hosting-news/ellislab-tells-users-change-passwords-web-host-discovers-security-breach

EllisLab, the software development company behind the ExpressionEngine CMS,
announced on Friday that hackers gained unauthorized access to its servers
at the end of March and may have obtained customers’ personal information
in the process.

According to a post-mortem blog post, hackers logged into EllisLab.com with
a stolen Super Admin password at 10:49 am PT on March 24, 2015, and
uploaded a common PHP backdoor script to allow hackers to access its server
without requiring authentication. Hackers had approximately three hours of
access to the server before it was detected by the company’s hosting
provider Nexcess.

Nexcess noticed the malicious activity after seeing failed attempts to gain
root access to the server. Nexcess then “immediately shut down access at
the firewall level” and notified EllisLab.

“We began dissecting the server logs to retrace their steps and learn how
they gained access. We went through all our files to remove what they
added. We also audited ExpressionEngine, since we would need to release a
patch before disclosing the attack if the breach was due to an exploit,”
EllisLab said.

While it doesn’t look like the hackers gained access to the database,
EllisLab said it prefers “to be cautious and assume they had access to
everything.”

Personal information that may have been accessed includes usernames, screen
names, email addresses, salted and hashed passwords and member profile data.

Other information that could have been exposed include billing name and
address and last four digit of credit cards from invoices, as well as
details included in support tickets from February 24 – March 24, 2015.

EllisLab is telling users to change their EllisLab.com password as well as
any passwords that would have been included in a support ticket.

“Being the direct target of a criminal attack has been a learning
experience and we hope to use what we’ve learned to help our customers. We
have discovered some server changes that you can make to help secure your
site and limit the damage that a bad actor can do. And even though
ExpressionEngine was not exploited in this attack, our audit led to further
security enhancements in our latest 2.10.1 release which you can download
now. Additionally, you may find a few general security tips helpful for
your own site.”

Last year, Nexcess discovered a Magento exploit that allowed credit card
data to be copied during the checkout process after investigating the cause
of fraudulent activity on a client’s account.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!