Database with customer login information exposed

May 2, 2015 07:55 GMT  ·  By

Hackers gained root access to a server belonging to EllisLab, developer of professional content management system (CMS) ExpressionEngine, after stealing a super administrator’s credentials.

The perpetrators used the credentials to install a PHP-based backdoor that allowed them to connect to the system without needing to authenticate.

Hackers routed the connection through TOR

The incident was discovered by EllisLab’s web hosting provider, Nexcess, on March 24, when root access attempts were observed, triggering the alarm about malicious activity.

The unauthorized actions were stopped immediately by shutting the access at the firewall level and EllisLab received a security alert.

According to the results of the investigation, the intrusion lasted for about three hours and the hackers routed their connection through Tor anonymization network. As such, their identity or location could not be established.

Before learning how the hackers got in, ExpressionEngine, the $299 / €267 PHP and MySQL CMS, was audited for possible vulnerabilities that could have been exploited.

“While evidence shows it is unlikely that they stole the database, we prefer to be cautious and assume they had access to everything,” said Derek Jones, EllisLab CEO, in a blog post on Friday.

Encryption for weak passwords could be reversed

The information that may have been taken by the attackers includes usernames, screen names, email addresses, member profile data and passwords, which were saved in an encrypted form (SHA-512 hash with a unique per-user salt).

In the case of customers, the hackers could have extracted the billing names, addresses and the last four digits of the payment card. Furthermore, the encrypted authentication credentials of anyone that submitted a support ticket between February 24 and March 24 may have been compromised.

Although the passwords were salted and hashed, Jones says that if the intruders grabbed the database, they could decrypt common or weak strings by relying on brute-force and the unique salt for each password. Because of this risk, the CEO advises users to reset the password for EllisLab.com.

The same action is recommended if plaintext login details have been passed via a support ticket. Additionally, if the account was created only for support purposes, removing it should be considered.

Jones says that ExpressionEngine remained unaffected following the attack, but a new version ( 2.10.1) has been released, which includes several security enhancements.