One of the largest multilingual plugins in WordPress, WPML, was breached this weekend when customers received an email claiming the plugin released sensitive information.
The email encouraged customers to check their databases and passwords and not rely on the plugin’s customer service to fix the problem.
— Ben Word (@retlehs) January 19, 2019
A tweet sent out on Sunday claims the hacker was an ex-employee using a backdoor. It says the plugin itself wasn’t compromised but customers should change their account passwords.
We’re very sorry to report that our WEBSITE got hacked. Looks like an ex-employee backdoor. There is NO exploit in the WPML plugin we doublechecked. Payment information was NOT compromised as we don’t store this information. We strongly advise changing your WPML account password.
— WPML (@wpml) January 20, 2019
WPML posted a blog that same night saying the site has been secured, “This email was sent from an intruder who got into our site and used our mailer. Obviously, that message was not sent from us. If you received such an email, please delete it. Following links in hacked emails can cause additional problems.”
The post goes on to allege the hacker used an old SSH password and a backdoor he left for himself to carry out the attack.
The WPML team assured customers that:
“WPML plugin running on your site does not contain this exploit. Your payment information was not compromised (we don’t store it). The intruder does have your name and email and might have access to your account at WPML.org. The intruder indeed stole the sitekeys, but they are of no use. The sitekeys allow your site to get updates from wpml.org. The intruder cannot push any changes to your site using these keys.”
The company urges customers to update WPML passwords but assures that the plugin itself wasn’t part of the attack.