Company resets passwords for all clients, just to be safe

Dec 10, 2015 22:18 GMT  ·  By

WP Engine, a US-based hosting provider for WordPress-powered sites, has just announced a data breach, during which some of its clients' credentials were exposed.

"We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials," reads the WP Engine announcement. "Out of an abundance of caution, we are proactively taking security measures across our entire customer base."

Ongoing investigation, too early for details

The company has no technical details about the incident at this moment, and an investigation was started to uncover the source of the leak.

WP Engine has also begun resetting passwords for all of its customers. WP Engine clients usually have different passwords associated with each account.

The company did not reveal which credentials were leaked, but for precaution it is resetting five of them. These are the WP Engine User Portal password, SFTP password, the original WP-Admin account password, the passwords for password-protected installs and transferable installs. All users will be prompted to change these passwords when they try to login the next time.

The password for their WordPress database has also been changed, but there's no user interaction for this one, WP Engine being able to change this one without user input.

Rumors place the incident at around 30K customer accounts

Online rumors say that around 30,000 WP Engine accounts were compromised in the incident. These are unconfirmed. Softpedia has contacted WP Engine for confirmation.

The last user tally provided by WP Engine a few years back said the company had 40,000 customers. If the 30K figure is confirmed, this would mean the hackers managed to steal details on three quarters of WP Engine's client portfolio.

Most of the times, a data breach occurs due to SQL injections, malware infections, or insider threats.

As you can imagine, customers were not happy.  

UPDATE: WP Engine has issued an official statement about the incident to Softpedia. Due to an ongoing investigation and law enforcement involvement, the company cannot disclose how many accounts were affected at this point. It appears that the 30K rumor is based on false information.

WP Engine Statement