Slashdot Mirror
WordPress.org Hacked, Plugin Repository Compromised
An anonymous reader writes "Back in April hackers gained access to the WordPress.com servers and exposed passwords/API keys for Twitter and Facebook accounts. Now, hackers gained access to Wordpress.org and the plugin repository. Malicious code was found in several commits including popular plugins such as AddThis, WPtouch, or W3 Total Cache. Matt Mullenweg decided to force-reset all passwords on WordPress.org. This is a great reminder for all users not use the same password for two different services."
Tough year? How about the year people finally realize security "professionals" are actually NEEDED!
"This is a great remainder [sic] for all users not use the same password for two different services."
Not it's not. Not even slightly.
The amount of mental effort required by users to memorise a different password for every internet site is at best unreasonable, if not a completely insane idea. While using the same password for Hotmail and internet banking is really not a good idea, using the same password for wordpress.com and wordpress.org is just common sense for people who don't have a photographic memory.
Blaming the user here is unreasonable.
The summary is incorrect as usual.
Some contributors' accounts were compromised, resulting in updates containing backdoors appearing from those contributors. The blog entry mentions AddThis, WPtouch and W3 Total Cache. The WordPress.org plugin repository was not hacked.
It's looking increasingly like this year is going to be the year of the hacker. It's a new security breach every week (often several per week). It's getting to be quite dizzying.
Gonna be a tough year for IT security "professionals".
Professionals left that world and went onto other things when suits concluded that security products are enough.
So now, it'll be hackers vs security products and trained monkeys. Fun all around.