Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



EllisLab Users Advised to Change Passwords After Data Breach

EllisLab reported on Friday that one of its servers was breached on March 24. The company is advising users to change their passwords following the incident.

EllisLab reported on Friday that one of its servers was breached on March 24. The company is advising users to change their passwords following the incident.

EllisLab is a Bend, Oregon-based software development company known for the content delivery platform ExpressionEngine and the open source web application framework CodeIgniter. The company’s products are used by tens of thousands of people to build websites and applications.

According to EllisLab, malicious actors gained access to the server using stolen super admin credentials. The attackers then uploaded a PHP backdoor designed to give them root access to the server.

Hosting company Nexcess quickly detected and blocked the attack, but the hackers still had access to the server for three hours. Although there is no evidence to suggest that the user database has been stolen, EllisLab says it wants to be cautious so it’s assuming that the malicious actors had access to everything.

The attackers might have accessed usernames, screen names, email addresses, passwords (salted and hashed), profile data, and billing information, including billing name, address, and the last four digits of credit card numbers. Details included in support tickets submitted between February 24 and March 24, including encrypted server authentication credentials, were also exposed.

EllisLab has pointed out that it doesn’t store full payment card data or clear text passwords on its servers.

“ExpressionEngine stores a one-way salted hash of your password and not the password itself (SHA-512 with a unique per-user salt for the cryptos out there). So a hacker would have to use brute force to try to hash various plain-text passwords with your unique salt to see if the result matched. If your password is common or weak, and if the attackers took the database, they could figure yours out,” the company said in a blog post.

Advertisement. Scroll to continue reading.

As for the identity of the attackers, EllisLab has determined based on referer data that they are “multi-national,” but additional information could not be obtained because the Tor network was used to disguise the route of the attack.

Based on its investigation, the software company has determined that the malicious actors did not exploit any ExpressionEngine vulnerabilities in the attack. However, an audit of the software conducted right after the discovery of the intrusion brought some security issues to light. These issues have been addressed with the release of ExpressionEngine 2.10.1.

EllisLab advises users to change their passwords to prevent abuse. Passwords provided in support tickets should also be changed, particularly if the information was sent via email in plain text.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...