EllisLab reported on Friday that one of its servers was breached on March 24. The company is advising users to change their passwords following the incident.
EllisLab is a Bend, Oregon-based software development company known for the content delivery platform ExpressionEngine and the open source web application framework CodeIgniter. The company’s products are used by tens of thousands of people to build websites and applications.
According to EllisLab, malicious actors gained access to the server using stolen super admin credentials. The attackers then uploaded a PHP backdoor designed to give them root access to the server.
Hosting company Nexcess quickly detected and blocked the attack, but the hackers still had access to the server for three hours. Although there is no evidence to suggest that the user database has been stolen, EllisLab says it wants to be cautious so it’s assuming that the malicious actors had access to everything.
The attackers might have accessed usernames, screen names, email addresses, passwords (salted and hashed), profile data, and billing information, including billing name, address, and the last four digits of credit card numbers. Details included in support tickets submitted between February 24 and March 24, including encrypted server authentication credentials, were also exposed.
EllisLab has pointed out that it doesn’t store full payment card data or clear text passwords on its servers.
“ExpressionEngine stores a one-way salted hash of your password and not the password itself (SHA-512 with a unique per-user salt for the cryptos out there). So a hacker would have to use brute force to try to hash various plain-text passwords with your unique salt to see if the result matched. If your password is common or weak, and if the attackers took the database, they could figure yours out,” the company said in a blog post.
As for the identity of the attackers, EllisLab has determined based on referer data that they are “multi-national,” but additional information could not be obtained because the Tor network was used to disguise the route of the attack.
Based on its investigation, the software company has determined that the malicious actors did not exploit any ExpressionEngine vulnerabilities in the attack. However, an audit of the software conducted right after the discovery of the intrusion brought some security issues to light. These issues have been addressed with the release of ExpressionEngine 2.10.1.
EllisLab advises users to change their passwords to prevent abuse. Passwords provided in support tickets should also be changed, particularly if the information was sent via email in plain text.