Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress.org Hacked, Plugin Repository Compromised

Posted by CmdrTaco on from the ok-that's-kinda-scary dept.

An anonymous reader writes "Back in April hackers gained access to the WordPress.com servers and exposed passwords/API keys for Twitter and Facebook accounts. Now, hackers gained access to Wordpress.org and the plugin repository. Malicious code was found in several commits including popular plugins such as AddThis, WPtouch, or W3 Total Cache. Matt Mullenweg decided to force-reset all passwords on WordPress.org. This is a great reminder for all users not use the same password for two different services."

15 of 110 comments (clear)

  1. A great remainder... by hammarlund · · Score: 2

    and a great reminder as well.

    1. Re:A great remainder... by pushing-robot · · Score: 2

      Can we stop with the obligatory "OMG typo" posts on every thread? We all know the common denominator among editors here is a low proofreading quotient, but let's not allow it to cause division.

      --
      How can I believe you when you tell me what I don't want to hear?
  2. Year of the Hacker by wjousts · · Score: 2

    It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

    Gonna be a tough year for IT security "professionals".

    1. Re:Year of the Hacker by SatanClauz · · Score: 5, Insightful

      Tough year? How about the year people finally realize security "professionals" are actually NEEDED!

    2. Re:Year of the Hacker by ygbsm · · Score: 2

      You mean year of the criminal scum bag, right? Its time our community quit treating some of these guys like heros and freedom fighters - they're vandals, crooks, and theives, and need to be treated as such. There are no "grey hats" - you're either a white hat or a black hat, and you can't be both.

    3. Re:Year of the Hacker by X.25 · · Score: 3, Interesting

      It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.

      Gonna be a tough year for IT security "professionals".

      Professionals left that world and went onto other things when suits concluded that security products are enough.

      So now, it'll be hackers vs security products and trained monkeys. Fun all around.

    4. Re:Year of the Hacker by Lumpy · · Score: 2

      They hire minimum wage lackeys for the physical security... what makes you think they will hire someone skilled for the IT security?

      --
      Do not look at laser with remaining good eye.
  3. A great reminder? by iateyourcookies · · Score: 5, Insightful

    "This is a great remainder [sic] for all users not use the same password for two different services."

    Not it's not. Not even slightly.

    The amount of mental effort required by users to memorise a different password for every internet site is at best unreasonable, if not a completely insane idea. While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.

    Blaming the user here is unreasonable.

    1. Re:A great reminder? by BlackPignouf · · Score: 2

      https://www.pwdhash.com/

      You're welcome!

    2. Re:A great reminder? by Tsar · · Score: 2

      "This is a great remainder [sic] for all users not use the same password for two different services."

      Not [sic] it's not. Not even slightly.

      Respectfully, I beg to differ. I'm running a password manager to keep track of all my passwords, online and otherwise. I'll never go back, and neither should you.

      Except for my password to the app itself (which is absurdly long but memorized and periodically changed), all my passwords are unique, cryptographically secure random printable-character strings of the maximum length allowed by each system or 255 characters, whichever is shorter. I keep three deeply-encrypted copies stored remotely, so unless we lose North America, I'll never have a problem getting back into my Slashdot account.

      Once I've entered my master password I only have to hit a system key combo to enter my credentials into any site, so after initial setup it's much more convenient than even using the same password everywhere. Yes, there are always potential security holes, but I believe that I'm managing them quite well, thank you.

      I didn't realize how many sites I had login credentials for (well into the triple digits) until I set up this app. Most of them used one of a very small handful of passwords. What's worse, I sometimes tried several of those passwords before I got logged into a site, so a malicious site could easily keep track of those attempts and have the passwords for many of my other sites. Not any more. Changing a password isn't a chore anymore, because I don't have to re-memorize anything. I simply generate a password of the maximum allowed length and complexity, swap it out and move on. Finally, I don't have a photographic memory either, so it's good that I don't have to remember all the sites where I used the same password as I did on the current Hacked Site of the Day.

  4. Wrong as usual by gaspyy · · Score: 5, Informative

    The summary is incorrect as usual.

    Some contributors' accounts were compromised, resulting in updates containing backdoors appearing from those contributors. The blog entry mentions AddThis, WPtouch and W3 Total Cache. The WordPress.org plugin repository was not hacked.

  5. Re:store hash instead of password by Otto · · Score: 2

    WordPress does only store password hashes, using the PHPass hashing library.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  6. Re:Now is the time by Stenchwarrior · · Score: 2

    Please say you were joking.

    On behalf of the rest of us Americans, please understand that only less than half of the people in our country actually talk and act like this guy; It's not everyone, I assure you.

    --
    Loading...
  7. Re:store hash instead of password by KiloByte · · Score: 2

    That's bland. Needs salt.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  8. Summary is full of shit, as usual by billcopc · · Score: 2

    Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back

    Three popular plugins. Yes, they're popular, I've used all three on several sites.

    THAT'S IT! That is the extent of the damage. Three plugin authors whose passwords were exposed. Nobody "gained access to [...] the plugin repository". Dear submitter, go back to kindergarten and learn to read. It's in the first two goddamned sentences.

    This place has gone to the dogs... where the hell is a guy supposed to get his tech news anymore ?

    --
    -Billco, Fnarg.com