Over the weekend, many WPML customers received an unauthorized email from someone who claimed to have hacked the company’s website and gained access to customer emails. WPML founder Amir Helzer suspects that the attacker is a former employee.

“The customer is an ex-employee who left an exploit on the server (not WPML plugin) before leaving. Besides fixing the damage, we’ll also be taking legal actions,” Helzer said Saturday night.

The WPML team worked around the clock over the weekend to secure their systems and sent out an email informing customers of the incident. They also assured customers that the WPML plugin does not contain an exploit and that payment information was not compromised. The company published an announcement to their website, detailing the incident and their response:

We updated wpml.org, rebuilt everything and reinstalled everything. We secured access to the admin use 2-factor authentication and minimized the access that the web server has to the file system.

These are more precautions than actual response to the hack. Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee.

This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information. In any case, the damage is great and it’s done already.

WPML urges customers not to click on any links in the email the attacker sent out and recommends they change their passwords for wpml.org. The attacker has customer names, emails, and sitekeys, but WPML said the sitekeys cannot be used to push changes to customer websites.

Helzer is convinced that the attack was an inside job and suspects two former employees. He and his team are working to provide evidence to the authorities. He said the the nature of the attack demonstrates that it was likely not an outside hacker:

  • The first time our site was breached was on the day we fired an employee, who had access to our servers. We didn’t identify the breach at that time. However, once we got hacked, we analyzed the original hole and we found in our log when it was placed (yup, he deleted the log, but he didn’t delete the backup). Now that we finished cleaning up the mess, we’re going through all logs and collecting the full evidence.
  • The attacker targeted specific code and database tables that are unique to our site and not generic WordPress or WPML tables.
  • The attacker crafted the attack so that it would cause us long term damage and not be apparent in first sight. That long-term damage is very difficult to guess without knowing our business objectives and challenges. This is information that our employees have, but we don’t disclose.

The idea that a former employee who is known to the company would risk performing these illegal actions is difficult to grasp, even in the case of someone who was fired and may have been acting in retaliation. The risks of being caught seem too great.

“In many jurisdictions including the USA, this is jail time,” Wordfence CEO Mark Maunder said. “So I find it quite incredible that an employee would leave a backdoor, use it to deface their site, steal their data and email all subscribers. This is the infosec equivalent of walking into a police precinct and tagging the wall while the cops watch.”

Helzer said the incident should serve as a wakeup call for companies that employ remote workers. It highlights the importance of having procedures in place for revoking employee access to all systems used as part of day to day operations.

“We have to admit that our site was not secured well enough,” Helzer said. “If someone previously had admin access and stopped working for us, we should have been more careful and avoided this situation.

“This can be a wakeup call for others. We talk a lot about the benefits or remote work and most of the WordPress industry works remotely. This made us realize that we need to be a lot more pessimistic when we allow any access to our system.

“For example, the fact that we’re now coding for ourselves a requirement to login with 2fa, means that we’re not alone in this exposed situation.”

The attacker’s unauthorized email and WPML’s response email went out over the weekend, so many customers will be learning of the incident today when they return to work. Helzer said customers have been supportive so far.

“I think that customers appreciate the fact that we contacted them as fast as we could and we dropped everything and ran to handle this,” he said. “I think that we’ll still have damage. Clients did not run away from us right now but a good reputation is something that you build over years. A nasty incident like this stays ‘on your record.’ This is our livelihood and we take it seriously.”