Piwik.org, the official website of the free software web analytics system for PHP/MySQL webservers, has been hacked. The attacker planted a piece of malicious code inside the .zip file containing Piwik 1.9.2.
According to Piwik representatives, the incident affects only users who updated or installed Piwik 1.9.2 on November 26, between 15:43 UTC and 23:59 UTC.
Customers who believe they might be impacted are advised to check for a piece of malicious code at the end of the Loader.php file located in the Core directory. If the code is present, they must back up config.ini.php, delete the Piwik directory, and download a clean version from piwik.org.
Apparently, the hacker has gained access to the company’s servers by leveraging a vulnerability in a WordPress plugin.
“The website Piwik.org is running WordPress and got compromised, because of a security issue in a WordPress plugin. As far as we know, the Piwik software does not have any exploitable security issue,” the Piwik team wrote.
Fortunately, since the website doesn’t track any web analytics data from users, no personal or sensitive data has been obtained by the attacker.
Piwik is currently working on implementing new mechanisms to avoid such incidents from occurring in the future.
The web analytics system is currently utilized by over 320,000 websites. It's preferred by many webmasters because of its privacy features and the control it offers over the analytics data.
Piwik is available for download here