EllisLab, the software development company behind the ExpressionEngine CMS, announced on Friday that hackers gained unauthorized access to its servers at the end of March and may have obtained customers’ personal information in the process.
According to a post-mortem blog post, hackers logged into EllisLab.com with a stolen Super Admin password at 10:49 am PT on March 24, 2015, and uploaded a common PHP backdoor script to allow hackers to access its server without requiring authentication. Hackers had approximately three hours of access to the server before it was detected by the company’s hosting provider Nexcess.
Nexcess noticed the malicious activity after seeing failed attempts to gain root access to the server. Nexcess then “immediately shut down access at the firewall level” and notified EllisLab.
“We began dissecting the server logs to retrace their steps and learn how they gained access. We went through all our files to remove what they added. We also audited ExpressionEngine, since we would need to release a patch before disclosing the attack if the breach was due to an exploit,” EllisLab said.
While it doesn’t look like the hackers gained access to the database, EllisLab said it prefers “to be cautious and assume they had access to everything.”
Personal information that may have been accessed includes usernames, screen names, email addresses, salted and hashed passwords and member profile data.
Other information that could have been exposed include billing name and address and last four digit of credit cards from invoices, as well as details included in support tickets from February 24 – March 24, 2015.
EllisLab is telling users to change their EllisLab.com password as well as any passwords that would have been included in a support ticket.
“Being the direct target of a criminal attack has been a learning experience and we hope to use what we’ve learned to help our customers. We have discovered some server changes that you can make to help secure your site and limit the damage that a bad actor can do. And even though ExpressionEngine was not exploited in this attack, our audit led to further security enhancements in our latest 2.10.1 release which you can download now. Additionally, you may find a few general security tips helpful for your own site.”
Last year, Nexcess discovered a Magento exploit that allowed credit card data to be copied during the checkout process after investigating the cause of fraudulent activity on a client’s account.