*Update* As of Dec. 9, 2014, we can now say we have resolved the security vulnerabilities exposed in this breach.
Here is a recap of the measures we have taken to protect your data moving forward:
- All of our sites have been moved to SSL. SSL protects the data sent from your browser to our server. This ensures that your username and password details aren’t captured by someone on a shared internet connection or WIFI.
- We’re now behind Sucuri’s Web Access Firewall (WAF). Sucuri’s WAF protects our server from a wide variety of known and unknown attacks, adding an extra layer of protection to ithemes.com.
- We’re no longer storing any plain text passwords. Even if someone compromises our server, they cannot grab a database full of passwords to start attacking with.
- We reset all pre-breach passwords (WordPress accounts, forum accounts, membership admins, databases, SSH users, FTP users, etc.) and reset all access keys. Any passwords or keys that attackers could have taken were invalid the same day that the compromise was discovered. This means that they would be unable to quickly and easily regain access to the server.
- We isolated iThemes.com away from many other sites to reduce the number of possible entry points. By greatly reducing the number of sites and other resources running on the same server as ithemes.com, we limited the options available to attackers.
After noticing some suspicious activity on our server earlier today, we discovered a significant attack on our membership database. In an over-abundance of caution, we’re asking all customers to reset their iThemes password immediately.
To protect your account from any unauthorized access, we’ve temporarily reset all user passwords. We just sent emails to our entire iThemes customer community asking you to do this as well. To regain access to your account, you’ll need to reset your password now.
Seeking to do what is right for you, our customers, and acknowledging this is a sensitive and important security issue, I know you will have questions about it. As such, here are answers to the key questions we think you’ll want to know:
1. What information did the attackers get access to?
It is possible that the attackers could put together the following information:
- Email address
- First and last name (if you set it)
- IP address
- The names of products you purchased
- Coupon codes you might have used
- Access times
- Payment receipt information (but no other payment info)
2. Was credit card or other payment information compromised?
No. We use third-party payment processors allowing us to handle all payments off-site.
3. What should you do?
- Create a new, unique password on iThemes.com that is different from your current password. (I use and we suggest a free password manager like LastPass.com for this.)
- If you have used that password elsewhere with the same username or email address, update the password immediately on each site with a new, unique password.
4. What are the next steps?
At this point we have a number of things we are doing to (1) better understand what occurred, (2) ensure the security of our server systems, and (3) provide you the safest online experience when visiting our site(s).
To do this, here is a list of the things we have done or will be doing in the coming days:
- We are performing a review / audit of our Information Technology (IT) Stack
- We are performing a review / audit of our Products and their code base
- We are reviewing and updating our Security Incident Response and Detection procedures
We have also enlisted the help of Sucuri through this process. As pertinent information becomes available, we will compile and release it in a timely and orderly fashion.
I deeply apologize for this event. Security is a staple of the service and products we provide and I assure you we will do everything we can to analyze, understand how this occurred and seek to prevent it from happening again.
Know that your personal information is of the utmost priority to me and if you have any questions or concerns, please let us know.
UPDATED: FREQUENTLY ASKED QUESTIONS:
1. Your new password isn’t working properly, what do you do?
Unfortunately due to the current system limitations, your passwords must be 20 characters or less. We are working on a fix around this issue.
2. Will you need to relicense your iThemes products?
No. iThemes Licensing does not have to be updated because it’s based on a key that was given to your site when you originally entered your username and password to authorize it. Changing your iThemes account password will not invalidate your license keys.
3. Will you need to reauthenticate your BackupBuddy Stash account on your sites?
Yes. Unfortunately, you will need to log in to those WordPress sites using BackupBuddy Stash as a remote destination and re-enter your credentials.
4. What about iThemes Sync?
Your iThemes member account and iThemes Sync account are the same. You’ll just need to update the iThemes member password you use to login to the Sync Dashboard. You will not have to reset the password on each site. WordPress admin credentials are not stored in Sync, so you don’t need to update those.