*Update* As of Dec. 9, 2014, we can now say we have resolved the security vulnerabilities exposed in this breach.
Here is a recap of the measures we have taken to protect your data moving forward:
- All of our sites have been moved to SSL. SSL protects the data sent from your browser to our server. This ensures that your username and password details aren’t captured by someone on a shared internet connection or WIFI.
- We’re now behind Sucuri’s Web Access Firewall (WAF). Sucuri’s WAF protects our server from a wide variety of known and unknown attacks, adding an extra layer of protection to ithemes.com.
- We’re no longer storing any plain text passwords. Even if someone compromises our server, they cannot grab a database full of passwords to start attacking with.
- We reset all pre-breach passwords (WordPress accounts, forum accounts, membership admins, databases, SSH users, FTP users, etc.) and reset all access keys. Any passwords or keys that attackers could have taken were invalid the same day that the compromise was discovered. This means that they would be unable to quickly and easily regain access to the server.
- We isolated iThemes.com away from many other sites to reduce the number of possible entry points. By greatly reducing the number of sites and other resources running on the same server as ithemes.com, we limited the options available to attackers.
As promised, we want to keep you updated on information about the attack on our membership system at iThemes we disclosed Tuesday. (In addition to the post, we sent emails Monday night to every customer in our system to alert you of this issue, asking that you reset your password and other places you use the same password.)
Additionally, we have been working very closely with Sucuri and Site5 through this as well for guidance and assistance. Having additional help and expertise on this has been invaluable.
If you want to keep abreast of every future update, please signup for the special disclosure email notification list here.
With that … here is some more information to disclose to you:
An Update on Passwords
Yesterday we publicly disclosed that we had identified suspicious activity on one of our servers.
We have confirmed that it is in fact a compromise.
While there is much more to report on this at some point soon, we want to take a moment to talk specifically about passwords related to the attack.
Over the past 24 hours there have been a few questions as to how we store and maintain them and I want to provide clarity and transparency in this post.
It’s Important That You Update Your Passwords
As we explained in the post yesterday, the minute we became aware of the incident we took the steps to protect all your accounts by doing a global reset of all accounts. This action immediately protected any of your accounts and respective sites from access via any of our tools.
It did not, however, protect you from those same credentials being leveraged in a username / password list that could be later used to attack your own websites directly or other online properties (i.e., Twitter, Email, Facebook, etc.).
We can’t stress enough the importance of immediately updating your passwords across all systems and sites that use the same password that you had in our membership system.
How Does iThemes Store Passwords?
There is no easy way to say this: We were storing your passwords in clear-text. This directly impacted approximately 60,000 of our users, past and current.
Yes, those credentials were used across our entire platform, from our iThemes membership login to your iThemes Sync login.
No, the same passwords can no longer be used to log in as you or log into your Sync accounts.
It’s important that you immediately update any other account that uses the same username / password combination. This includes WordPress installs, FTP logins, cPanel access, Gmail accounts, Yahoo accounts, Facebook, Twitter, billing accounts, etc.
What Does Plain Text Mean?
This means that the passwords were not protected as they should have been. They were not hashed, salted or any combination of techniques. This means if the attacker was able to see / save the passwords they have a new username / password list.
Did the Attacker Get Access to the Passwords?
We have not been able to confirm or deny this, but because it’s on the same server where the attack happened we’re taking every precautionary measure possible. And we have made a decision to treat it as worst-case scenario in order to disclose and best protect you going forward.
Why Would You Store Passwords in Plain Text?
This is how the membership software we started using in 2009 did it. There are a number of factors for this, none that will make much of a difference at this point or make anyone feel any better about it, myself included.
Know that it’s not because we did not value your data. As an organization, we have been working on a very large migration process that has required us to interlink legacy systems with the latest technologies. Anyone that has ever gone through that process understands the complexities and challenges.
Frankly put, it’s been something we identified as a potential risk and are working rapidly now to rectify this issue as fast as humanly possible.
What Are You Doing About This?
I have made the migration process our primary focus, specifically the management and storage of all personal data – including passwords. We will provide an update on how this will be achieved in the coming days.
I don’t want to jump the gun, but would rather provide my team the time and focus they require to adequately respond and design a solution that addresses the problem as soon as possible and implements a long-term solution that we can all stand behind.
Again, we are working very closely with Sucuri and Site5. They are providing us guidance and assistance through this process. They will be involved in all our options moving forward to ensure that risk of something like this happening again is low as humanly possible.
Have password reset problems and need help?
Some customers have had problems and issues with password resetting. We’re now handling password-related support via ticketed emails sent to firstname.lastname@example.org or our contact form. If you’re having issues, please use the contact form here, or email us directly at email@example.com and we can help you there, privately.
I realize this will generate a lot of concern. Again, I am deeply sorry for this mistake and how it has affected you.
Let me say: we have made mistakes in the past at iThemes … and as humans will make mistakes in the future. To make a promise otherwise would be absurd and misleading.
But my promise to you, our customers, is this … and it’s the same promise that I’ve held to since January 2008 when I started iThemes in my home:
- We will identify mistakes as best we can. You have helped us with this and appreciate that accountability.
- We will own up to our mistakes. Again, we’ve done this in the past, we did this yesterday and this post is another example of us living this value.
- We will fix the mistake as fast as humanly possible. A number of priority issues have been unearthed, shone a hard light on, but we are working to resolve them.
- We will learn and grow from it and be better for it and for you.
Additionally, as the founder and CEO, the leader of this company, I want you to know: the buck stops with me and me alone.
At the end of the day, I am responsible for our company, iThemes, and the work we do. I’ve often tried to defer credit for the great work we’ve done to our team, but as for the mistakes we make, that credit belongs solely to me.
I started this company to offer solutions to help make people’s lives better.
I cannot control the past. The mistakes above were made. But we can control what we learn and how we grow from it in order to be better for you through it.
If anything, I am more energized and motivated than ever to make what we’re doing and how we do it better than ever.
As always, since 2008, thank you for your patience, support, and understanding as we work to fix this.