EllisLab servers breached by hackers wielding stolen admin password

EllisLab, the company behind the popular ExpressionEngine CMS, has suffered a breach after hackers managed to gain unauthorized access to its servers.

“At 10:49am PDT on March 24, 2015, an attacker logged into EllisLab.com with a Super Admin’s stolen password. The perpetrator then uploaded a common PHP backdoor script (a WSO Web Shell variant) that allowed a group of attackers access to our server without requiring authentication,” EllisLab CEO Derek Jones explained in a blog post on Friday.

The attack was apparently spotted by Nexcess, the company’s web hosting provider, and lasted three hours.

“We began dissecting the server logs to retrace their steps and learn how they gained access. We went through all our files to remove what they added. We also audited ExpressionEngine, since we would need to release a patch before disclosing the attack if the breach was due to an exploit,” Jones said.

The good news is that ExpressionEngine was not exploited – the attackers gained access by using a stolen Super Admin password.

The identity of the attackers is likely to remain unknown, as they routed their attacks via Tor servers. It’s also hard to say what for sure what information they have compromised.

“While evidence shows it is unlikely that they stole the database, we prefer to be cautious and assume they had access to everything,” he noted. “Everything” includes usernames, screen names, email addresses, salted and hashed passwords, member profile data; billing name, address and last four digits of the credit card customers used to purchase software from the company; and details regarding support tickets submitted between February 24 and March 24, 2015.

Even though the company does not store passwords in plain text, they advised users to change their passwords just in case, and especially if they used a common or weak one. Customers who submitted a support ticket during the aforementioned period should also think back and remember if they included login details in plain text in the ticket, and if they did, change the password.

Jones concluded the status report by saying that their audit of ExpressionEngine led to the implementation of additional security enhancements, and advised users to update to the latest version (2.10.1).