×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

WordPress Hacked, Attackers Get Root Access

samzenpus posted about 3 years ago | from the protect-ya-neck dept.

Security 168

An anonymous reader writes "A hacker has gained access to WordPress.com servers and site source code was exposed including passwords/API keys for Twitter and Facebook accounts. From the official blog post: 'Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partner's code. Beyond that, however, it appears information disclosed was limited.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

168 comments

the cloud (5, Insightful)

stoolpigeon (454276) | about 3 years ago | (#35811760)

and that's why I don't want everything in the cloud.

Re:the cloud (1)

doconnor (134648) | about 3 years ago | (#35811856)

Why do you think keeping data on your own computers makes it more secure? Big break-ins make news, but that doesn't mean they are the most common.

Re:the cloud (4, Insightful)

Zapotek (1032314) | about 3 years ago | (#35811992)

Isn't it obvious? Because the impact of hacking a server containing data from thousands of users is FAR greater than hacking a single desktop.
That's why the parent is right.

Re:the cloud (1)

John Hasler (414242) | about 3 years ago | (#35812092)

It doesn't follow that the impact on any one user is greater, though.

Re:the cloud (3, Insightful)

icebraining (1313345) | about 3 years ago | (#35812202)

But it makes it far more probable.

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35812880)

Actually, it does.

If you are in the market to buy/sell information, it's much more attractive to have a huge bundle of thousands of users' information than individual information. That makes it not only more probable that an individual will get burnt THAT way (as opposed to targeted as an individual), but it makes the value of the breach higher, and therefore more likely that it will then disseminate and be used.

Re:the cloud (2)

pasv (755179) | about 3 years ago | (#35812904)

Try reliably exploiting thousands of browsers on several different platforms and different environments to get at info. Or just send one well crafted email to a low-level employee of a company that controls the targeted information on a cloud and start a spear phishing campaign. Hrm.. Which is harder to do?

Re:the cloud (2)

jd (1658) | about 3 years ago | (#35813074)

Ah, that's a good question. In theory, central servers will have better security than Joe Average will know how to install. In practice, N times as many users will make the target f(N) times as inviting (where f() depends on who is doing the evaluating). This means that it is f(N) times as likely to be attacked by a human but equally likely to be attacked by zombies, worms and maybe the occasional vampire, since those won't care about N or f().

If you are concerned about human crackers, then f(N) becomes the dominant factor and your server has to be f(N) times as secure in order to maintain the same equivalent risk per person. (More attackers x more attention per attacker != Comfy Sofa.)

If you are concerned about the total number of attacks, then f(N) will never become significant in comparison to the automatic attacks. Since security has risen by more than the total number of attacks, the risk per person goes down.

Both of these ways of looking at the problem are valid, but they are also dependent on context. Automatic attacks against a hardened Linux box, OpenBSD or VMS are unlikely to succeed. I'd be much more worried about human attackers against those. Windows boxes, on the other hand, are harder to secure well and the total number of attacks rather than the potential haul for a successful break-in becomes important.

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35812214)

It doesn't follow that the impact on any one user is greater, though.

It hurts your odds when the target is higher-profile and higher value, and therefore more tempting.

Re:the cloud (1)

dhavleak (912889) | about 3 years ago | (#35812948)

The impact is the same -- your data is pwned. The incentive for an attacker to go after cloud storage is greater (many people's data vs. 1 person's data). Therefore, the odds of a targeted attack are vastly higher for a cloud service.

Re:the cloud (1)

bongey (974911) | about 3 years ago | (#35812112)

For a good technical person yes, for average person no. The safeguards, intrusion detection, and dedicated people to monitor a server makes it easy to know if something went wrong. The school I went to a tier 1 school, someone in the alumni relations decided to store credit card numbers/ssns for the entire school in an excel spreadsheet. Machine was bonneted, someone malicious got a hold of the file and went on spending spree. My parents almost got hosed , someone one attempted to purchase 6k in computers, but my parents didn't have the funds so it bounced. Only when the bank came calling that their purchase of new computers didn't go through , did we find out. It was pretty clear on the attempted purchase it was linked to school, it said "XXXX University " ,along with the address of the school. The school never disclosed the breach, only because I had connections in the IT groups did I find out. It was some intern that had put it on her desktop in the alumni relations office.

Re:the cloud (1)

Skuld-Chan (302449) | about 3 years ago | (#35812726)

So your solution to keeping websites from being hacked is to store the website at home on your desktop pc?

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35813066)

Yep. I run my web site from a server sitting in my house. My broadband connection is plenty fast enough and I have a lot more confidence in my ability to lock down a system than any of these companies/organizations run by idiots.

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35813068)

That's what most TFAs linked in /. seem to do.

Re:the cloud (1)

geekmux (1040042) | about 3 years ago | (#35812908)

Isn't it obvious? Because the impact of hacking a server containing data from thousands of users is FAR greater than hacking a single desktop. That's why the parent is right.

The collective computing (and bargaining) power of several thousand computers is FAR greater than a single server, hence the proliferation of botnets.

This is why BOTH of you are right, and why the ONLY safe place for ANY of your personal information is wrapped nicely in strong crypto.

Re:the cloud (2, Insightful)

Anonymous Coward | about 3 years ago | (#35812016)

Oblig. http://xkcd.com/538/

In short... It's more secure because nobody cares about his private data, and even if some hacker did care about his data specifically, whether or not it is on his own computer makes no difference.

On a large system, such as WordPress, each individual user's data is of insignificant value, but the whole of it may have some value.

It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

Re:the cloud (2)

xystren (522982) | about 3 years ago | (#35812536)

It is easier to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

It is more efficient to break 1 machine with 50,000 users than 50,000 machines with 1 user each.

Fixed it for ya. The number of users doesn't make it easier, it just makes the potential return on the effort more significant.

Re:the cloud (1)

Tetsujin (103070) | about 3 years ago | (#35812596)

Why do you think keeping data on your own computers makes it more secure? Big break-ins make news, but that doesn't mean they are the most common.

The distinction here is if you maintain your own data on your own system, you're (probably) a small target. Aggregating a large number of small targets onto a single site makes that site a big target.

Re:the cloud (1)

dotfile (536191) | about 3 years ago | (#35812944)

I wouldn't say my machine is more secure than that of WordPress -- although, since theirs has been compromised and mine has not, I guess that's open for debate. One big difference is, I know what and where my vulnerabilities are, and I have my fingers in there daily so I'll know pretty quickly if and when someone breaks in. When hosting stuff on Other Peoples' Servers, you never really know for sure if they are secure, how secure they are, etc. Until you find out the hard way, of course.

As for my actual sensitive data, the stuff that would actually be inconvenient to have someone else see... yes, keeping it on my own system makes it more secure, for a number of reasons. None of which I'm ever likely to discuss.

Re:the cloud (0)

Touvan (868256) | about 3 years ago | (#35811870)

Or stored on anything connected to the net at all? Do you really think most people's personal computing equipment (including - maybe especially - their smart phones) is more secure than a cloud service?

If I were betting on which, as a class of internet connected storage - cloud services, or personal hardware - is more secure, I'd bet on cloud services.

why rob banks? (2, Insightful)

Anonymous Coward | about 3 years ago | (#35811940)

that's where the money is.

say you are a black hat, you gonna go after amazon cloud services or ME as an individual at home.

individuals are gonna get hit one at a time... the cloud is a really big juicy target

security through fifty-leven different systems & methods for each record.. kinda security through obfuscation.
my method will be different from my neighbor

if we are both on amazon cloud-- you only gotta get in once.

Re:why rob banks? (2)

xMrFishx (1956084) | about 3 years ago | (#35812216)

security through fifty-leven different systems & methods for each record.. kinda security through obfuscation. my method will be different from my neighbor

Though in the terms of most consumers all that means is your key is under the mat, his is in the plant pot. I keep mine in a hornet's nest but leave the back door open incase I can't get past the hornets.

Re:why rob banks? (0)

Anonymous Coward | about 3 years ago | (#35812240)

that's where the money is.

say you are a black hat, you gonna go after amazon cloud services or ME as an individual at home.

individuals are gonna get hit one at a time... the cloud is a really big juicy target

security through fifty-leven different systems & methods for each record.. kinda security through obfuscation. my method will be different from my neighbor

if we are both on amazon cloud-- you only gotta get in once.

uhm.. are you saying banks are being robbed more than homes and people?

Re:why rob banks? (0)

Anonymous Coward | about 3 years ago | (#35812450)

Yes because robbing people, hones and banks compares to breaking into a network so well....

Re:why rob banks? (1)

Cwix (1671282) | about 3 years ago | (#35812580)

Lets expand on your analogy a little.

Someone gaining root access has the potential to access ALL information. Therefore someone breaking into a bank could take everything.

So the modified analogy would go like this:
If a thief could take everything from the place he breaks into would he break into my apartment, or into a bank?

I'm going to guess he'll break into the bank.

So.. to wrap it up, as I see it the robber would much rather make off with 10,000 peoples assets then 1 persons. Which makes the bank a much bigger target.

Re:the cloud (1)

element-o.p. (939033) | about 3 years ago | (#35812568)

But even if it is harder to break into a cloud service, the reward:effort ratio is much, MUCH higher for the cloud service.

Break into Joe Luser's home PC, and you get his porn collection, the e-mail addresses in his address book, and *maybe* the user names and passwords to get into his financial accounts. Repeat for a sufficiently large number of home PCs and you might have something of value...if you don't get caught first.

Break into facebook/wordpress/$RANDOM_CLOUD_SERVICE and you get that information for *EVERY USER ON THAT SERVICE*...and you only had to get root access on one host.

Re:the cloud (1)

Touvan (868256) | about 3 years ago | (#35812626)

> But even if it is harder to break into a cloud service, the reward:effort ratio is much, MUCH higher for the cloud service.

That's a darn good point.

Re:the cloud (2)

dominious (1077089) | about 3 years ago | (#35811898)

huh? wordpress is "cloud" ? From the site: "WordPress is web software you can use to create a beautiful website or blog"

Re:the cloud (1)

Anonymous Coward | about 3 years ago | (#35811958)

This isn't an exploit for Wordpress itself, it's the Wordpress.com site getting hacked. This headline seems to be more attention-grabbing than it should be.

Re:the cloud (5, Informative)

lennier1 (264730) | about 3 years ago | (#35811986)

wordpress.COM is a hosting service service which offers Wordpress blog setups out-of-the-box.
wordpress.ORG is where the software itself is published.

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35812050)

Everything that had an internet connection nowadays is being called "in the cloud".
Do you know you PC is now at this very moment connected to the slashdot cloud? Heck even I'm in the cloud. Although that is the cloud of smoke for me ;)

Re:the cloud (1, Troll)

larry bagina (561269) | about 3 years ago | (#35812866)

huh? wordpress is "cloud" ? From the site: "WordPress is web software you can use to create a beautiful website or blog"

I'm going to need a citation on the beautiful part.

Re:the cloud (4, Insightful)

zill (1690130) | about 3 years ago | (#35811968)

Care to point out how "the cloud" is involved in this case? Nowhere in the summary or TFA does it mention that the compromised servers were cloud-based.

Re:the cloud (4, Insightful)

Anonymous Coward | about 3 years ago | (#35812078)

It does seem that "the cloud" simply means, to most people, "storage and apps on the web". With that common definition I'd have a hard time seeing how it wasn't cloud based. In fact, that's probably why they were hacked. The hackers were looking for that silver lining that every cloud has.

Re:the cloud (0, Troll)

postbigbang (761081) | about 3 years ago | (#35811978)

And once again, the importance of data security and professionalism means you protect whatever, wherever, to the same high standard.

Your suggestion that you don't want to have anything in the cloud is moronic. Most of what you do is on the Internet. The Internet is the cloud. Wordpress is hosted, just like this site. With luck, the venerable staff hosting this stuff has been responsible enough to protect us. If not, we'll be upset.

Re:the cloud (5, Insightful)

stoolpigeon (454276) | about 3 years ago | (#35812246)

I never said I didn't want "anything" in the cloud. In fact the word I used was "everything". I also placed that word in italics to emphasize that I meant some things I would rather maintain on my own machines, but not all things.

One of us has rather poor reading skills. That may be the one that is "moronic".

Furthermore, you have no idea what I do or where most of it takes place. To assert that you do is, well, rather short sighted. One might almost be inclined to say moronic.

And to decide that the security of one's data is properly handled should be a matter of luck. There has to be a good word for that view, let me think on it a bit and I'm sure it will come to me.

Oh, and if being called moronic makes you feel bothered at all, I'd recommend keeping that in mind when you throw the word at others. I'm no rocket scientist but that kind of slur really isn't called for.

Re:the cloud (2)

postbigbang (761081) | about 3 years ago | (#35812422)

I stand by my description.

To look at "cloud" in any way that's different than any system on any network, including the network, is to bash the people that do hard work to protect online public and private resources.

You can store locally, but your use of the Internet is global, and differentiation with "cloud resources" is to damn professionals and not put the blame where it's due: sysadmins at Wordpress that need a really good spanking.

Re:the cloud (1)

Cwix (1671282) | about 3 years ago | (#35812640)

You were wrong, you read his post badly. Perhaps you just wanted somewhere to place your opinion. Start a new post in that situation.

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35812914)

You misunderstood parents post and then made a spiteful reply. You may consider an apology, it certainly wouldn't hurt.

Re:the cloud (2)

Fjandr (66656) | about 3 years ago | (#35812962)

Nowhere in that response is an objection to your description of what "cloud" means. In fact, it seems as though the post implicitly agrees with your definition.

What it does say is that your claim of "Your suggestion that you don't want to have anything in the cloud is moronic." is entirely incorrect. Which it is.

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35813048)

Guys, you are arguing on slashdot on the internet. That's retarded hypocube.

Re:the cloud (2)

lymond01 (314120) | about 3 years ago | (#35812270)

"If not, we'll be upset."

And that's all you will be. Free hosted services have no service agreement, no liability, no enforced responsibility to secure or protect your data.

Until hosted services need to compensate you for their screwups, many places would prefer to handle their data in house (where they can fire people).

Re:the cloud (1)

postbigbang (761081) | about 3 years ago | (#35812472)

No, that's not really true. There are serious sysadmins out there that take it seriously. Whether FOSS volunteers or paid people, people are supposed to take this seriously. There are consequences, both legal liability and criminal.

It's fine to keep data on your own host in your own data center with your own firewall and your own ass covered. Disconnect. Or try and raise the standard.

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35812274)

I hate the term "cloud'. It makes it sound like something new and special.

Give me a hard drive that erases itself.

Re:the cloud (1)

petteyg359 (1847514) | about 3 years ago | (#35812430)

Your suggestion that you don't want to have anything in the cloud is moronic. Most of what you do is on the Internet. The Internet is the cloud.

Your usage of the common ignorant fool's definition of "cloud" is moronic.

Re:the cloud (1)

postbigbang (761081) | about 3 years ago | (#35812542)

Ok, chump, since you want to continue the disinformation. I have cloud resources at AWS, Rackspace, GoGrid, and a lot of 'cloud' providers.

What are you computing on? Do you know if it's hosted at an MSP/ISP? Unlikely-- save for the hosts that you personally know of.

Wordpress by one definition, is in the cloud. Most hosted stuff can be considered cloud. Cloud is nebulous. Cloud is SaaS. Cloud is raw VMs on the hoof. Cloud are 100 instances that I can spin up in about 30sec.

So fuck off about your definition of the cloud, because the cloud is completely nebulous-- representing hosted services. You must be in marketing.

Re:the cloud (0)

Anonymous Coward | about 3 years ago | (#35812432)

Your logic: banks gets robbed at a rate of something like 25 armed robberies a day in the US so don't keep cash with banks. Might work for some.

Facebook? Twitter? (5, Insightful)

Jeremiah Cornelius (137) | about 3 years ago | (#35811764)

The Word Press devs promoting integration with Facebook is like handing Sweeney Todd the razor and saying "Shave away, whatever you like."

It starts with FB managing the identities and next, the discussion threads, and slowly creeps throughout - until WP is a hollow frame on which to drape FB parts.

Eviler than Google. And that's saying a lot.

WTF? (1)

Anonymous Coward | about 3 years ago | (#35811846)

>> Eviler than Google. And that's saying a lot.

Er.. Anything from Apple|Microsoft|Oracle|Sco might have made slightly more sense. But then, if you had taken your medicine today on time, we wouldn't have had this discussion. Just saying...

Re:WTF? (1)

Anonymous Coward | about 3 years ago | (#35812028)

Google owns you and you're too dumb to see it.

Re:WTF? (2, Funny)

Anonymous Coward | about 3 years ago | (#35812242)

It doesn't matter how much you keep trying, Mr. Beck, Slashdot won't hire you after your gig at Fox News is done.

Re:WTF? (0)

Anonymous Coward | about 3 years ago | (#35812302)

Only if I let Google do that. And BTW, google was the only one who fought against the order asking them to reveal user information while all others just caved in. Also, just the previous story was about Google investing in some solar power plant, while Steve Jobs is stealing others' livers.

Are you really that stupid?

Wait a second - it seemsI am on digg. Never mind. Please continue babbling.

Re:WTF? (3, Informative)

Dishevel (1105119) | about 3 years ago | (#35812350)

But they don't own me they though rent me with really cool shit.
Even after they rented me they kept improving the shit they rented me with.
They win too. The serve me up small text ads. Ones that kind of hang back and allow me to see the stuff I want to see.
Because they rented me they also can do a better job of making those unobtrusive text ads sometimes useful.
If they fuck us over then their flock runs away. Then their profits go down. They do not want to do that.
What they want is to continue to serve me really good ads that make them shitloads of money.
What I want is really cool shit and ads that don't make me want to tear my eyes out.
That is why me and Google get along so well.

Re:Facebook? Twitter? (0)

Anonymous Coward | about 3 years ago | (#35811848)

Hey, not my weenie Sweeny!

Re: twitter/fb-This has been happening everywhere (3, Insightful)

Anonymous Coward | about 3 years ago | (#35812206)

Login: Half the sites I visit these days have a facebook login option to access that site's account. A subset of which no longer really -have- an account management of their own.

Discussion threads: Almost every site that has discussions threads seems to use Disqus these days.

Avatars / Profile pictures: Thanks to the use of Disqus, that'll be Gravatar, but even sites that still have their own commenting system seem to be jumping to Gravatar; including WordPress.com .

I'm not sure who knows more about people anymore.. Google or that little conglomeration of services.

Re: twitter/fb-This has been happening everywhere (2)

hedwards (940851) | about 3 years ago | (#35812300)

I refuse to sign up for sites like that. I played around with OpenID for a bit, but stopped pretty quickly. A single point of failure is really not a good thing.

Re: twitter/fb-This has been happening everywhere (1)

TheRaven64 (641858) | about 3 years ago | (#35812374)

The gravatar one is the one that irritates me the most. Ohloh.net uses it, and they don't even let you point to an avatar on your own web server. I can sort of understand them not wanting to have to host everyone's avatar (although, given that they're 10KB or so each... not really), but a service forcing you to use a third-party service to make some features work seems really stupid to me.

Re: twitter/fb-This has been happening everywhere (3, Insightful)

Anonymous Coward | about 3 years ago | (#35812668)

Gravatar is particularly bad because it is uniquely* identifying to your e-mail address.
(* as far as MD5 is unique for the purposes)

If you were ever silly enough to use your e-mail address on some random blog to make an anonymous post - falsely trusting that the site wouldn't make this public - and that site decides to add Gravatar -without- making sure it only adds this for non-Anonymous posts... bam. exposed.

In addition, of course, Gravatar knows who you are, at least by e-mail address (not sure what other information you have to give up). Because Gravatar hosts the avatar images but gets referenced from the original site (or via Disqus), Gravatar essentially knows where you have posted comments.

That's just two of the security/privacy issues with Gravatar - a websearch will yield many more. But users typically don't care.. they just think it's great that they can go to Gravatar, upload a new profile image, and that's instantly updated on every service you use. That's useful to some. Webmasters also generally don't care, because they believe that -all- their users are the aforementioned type of user. This happened recently at a site and after a short explanation in the discussion system there (not Disqus, thank goodness), many agreed that the webmaster made a booboo and the webmaster made it opt-in a few days later; but the damage was already done. Gravatar essentially had a list of everybody who ever commented there - people who are typically customers of that site - the moment people started viewing pages. And that's presuming Gravatar doesn't immediately scrape the site for datacollection - I know I would if I were evil.

I've long given up the idea that there's anything I can do completely anonymously - but it still saddens me to see that privacy is yanked away so readily and without any consent, thanks to the masses.

Re: twitter/fb-This has been happening everywhere (1)

Jeremiah Cornelius (137) | about 3 years ago | (#35812900)

Facebookâ(TM)s New Realtime Analytics System: HBase to Process 20 Billion Events Per Day

Via: High Scalability: [highscalability.com]

The need for such a high powered analytics system is driven by Facebook's brilliant plan for world wide web domination via the viral propagation of social plugins, all tying the non-Facebook web back into Facebook and the Facebook web back into the non-Facebook web. Basically anything that people can do is captured and fed back through Facebook and anything done on Facebook can be displayed on your website, building closer relations between the two.

Color me surprised (0)

Anonymous Coward | about 3 years ago | (#35811774)

:-|

beyond that... (4, Funny)

hxnwix (652290) | about 3 years ago | (#35811838)

They stole everything, but, "beyond that, however, it appears information disclosed was limited."

Re:beyond that... (2)

xMrFishx (1956084) | about 3 years ago | (#35811886)

Quick, if we shut our eyes we can't see anything being stolen!

Re:beyond that... (0)

Anonymous Coward | about 3 years ago | (#35811944)

Yrah. Nut, hoe dp i reply wioth my eyed c;loserd>

Perhaps, rather, something was PLANTED in (0)

Anonymous Coward | about 3 years ago | (#35812728)

Not STOLEN out?

APK

P.S.=> Everyone automatically seems to assume it's only "all about stealing something out of the server", when it may very well be inserting something ONTO THE SERVERS as well!

(Just some "Food 4 Thought"/something to consider)... apk

Re:beyond that... (0)

Anonymous Coward | about 3 years ago | (#35812838)

well, what's beyond everything?

Automattic (1)

asvravi (1236558) | about 3 years ago | (#35811842)

So low level break-ins are automatic now?

'Automatic had a low-level (root) break-in to several of our servers'

Refreshing honesty? (1)

slackzilly (2033012) | about 3 years ago | (#35811932)

Many (most?) companies try to lie about the severity of the hack. Looks to me like they are saying it like it is. I like that.

Yo , (0)

Anonymous Coward | about 3 years ago | (#35811956)

"Automatic had a low-level (root) break-in to several of our servers,"

-- The victims know the attacker by name?

Saw some unusual activity this week (2, Informative)

Anonymous Coward | about 3 years ago | (#35811962)

I was seeing some unusual activity on my blog hosted there. I opened a ticket and they thanked me for the info but never got back to me. Just emailed them regarding the ticket to see if they were related. Good thing I immediately went and changed my password for them. I guess I better change it again just to be safe. Mine is definitely not in the dictionary or guessable so I'm not to worried unless they can decrypt the password file. I would hope they encrypt their password file... I'll probably also have to prepare for more spam as well since this is a different emaill addy from last weeks Epsilon breach...

-Brad

Re:Saw some unusual activity this week (4, Insightful)

v1 (525388) | about 3 years ago | (#35812034)

I guess I better change it again just to be safe. Mine is definitely not in the dictionary or guessable so I'm not to worried unless they can decrypt the password file. I would hope they encrypt their password file..

If they raided the entire fridge, even if it was encrypted, they'd have the keys and thus all the passwords on a silver platter.

I think what you meant to say is you hope the passwords were hashed .

Re:Saw some unusual activity this week (-1)

blair1q (305137) | about 3 years ago | (#35812872)

That ain't how password encryption works.

The cleartext password is encrypted with the key, and the encrypted version is stored in the password database (file, etc.). When you enter your password to gain access, it is encrypted in the same way and the encrypted versions are compared. Once encrypted, it can not be decrypted. It can only be cracked by encrypting trial passwords until one matches.

So having the key is irrelevant.

Unless they fucked up that very simple means of making password storage safe. Which I'm not betting money against.

Re:Saw some unusual activity this week (2)

dave420 (699308) | about 3 years ago | (#35812928)

Hmm. Usually it's a hash of the password that is stored. The entered password is then hashed the same way, and if the result is the same, access is granted. Encrypted data can be unencrypted, but hashed data can't be unhashed.

Re:Saw some unusual activity this week (0)

blair1q (305137) | about 3 years ago | (#35812886)

never mind. hashing = encryption, here. they've changed the terminology since the last time i cared.

Terrible summary (2)

whh3 (450031) | about 3 years ago | (#35812020)

Where did the anonymous reader get information regarding the hacker's access to "passwords/API keys for Twitter and Facebook accounts"? On a related note, it appears that the anonymous reader cannot properly copy and paste; It is Automattic and not Automatic.

Terrible attacks' (0)

Anonymous Coward | about 3 years ago | (#35812054)

I've more than 10 websites in Wordpress.... the number of attacks is giant :S
I'll try to install some plugins to defense all of them.
Best regards,
Dan
http://www.chinelospersonalizados.org

CGI systems (0)

hackus (159037) | about 3 years ago | (#35812196)

Surprise!! Another CGI system is breached. Yes, I am one of those guys that thinks php is stupid!

Along with the whole idea of CGI based native call methods built as plugins directly into a web server.

Why don't you just give everyone the root password on your webserver and save them the effort and you the embarrassment?

At least that way you can say I knowingly did it instead of admitting you run CGI crud in the 21st century.

A century where VM technology makes such drivel totally unrequired.

So use virtual machines, and do not tie executable code to the native environment accepting the connections or call interfaces from direct URL's.

That means any CGI or language plugin for Apache. The only way today I would run a website is with a web server on the outside with no hard disk, and a java virtual machine executing the URL references on a completely separate networked machine using the apache tomcat plugin.

-Hack

Re:CGI systems (1)

GeorgeMonroy (784609) | about 3 years ago | (#35812286)

Please explain how to do this. I have no idea what you are talking about but it does sound like you are giving good advice.

Re:CGI systems (2, Insightful)

Anonymous Coward | about 3 years ago | (#35812290)

The only way today I would run a website is with a web server on the outside with no hard disk, and a java virtual machine executing the URL references on a completely separate networked machine using the apache tomcat plugin.

Wow! You could serve TENS OF USERS with that rig!

Re:CGI systems (1)

lennier (44736) | about 3 years ago | (#35812424)

Got Geometrodynamics? Awe, too hard to figure out? Too bad.

John Wheeler cries! Then giggles. Then cries some more.

Re:CGI systems (1)

Anonymous Coward | about 3 years ago | (#35812824)

So how's that unemployment check coming along?

Re:CGI systems (1)

Ash-Fox (726320) | about 3 years ago | (#35812858)

So use virtual machines, and do not tie executable code to the native environment accepting the connections or call interfaces from direct URL's.

That didn't stop someone exploiting my tomcat powered website, downloading copies of the databases.

They have no idea what was taken (0)

Anonymous Coward | about 3 years ago | (#35812388)

They have no idea what data was taken/probed.Even if they don't think that their encryption keys were taken. They were. This attack will happen again, and now that Wordpress has got some press off this, they are going to be securing stuff even more. All thats this is going to do, is make more and more people. Probe and push down attacks on their site.

Bad choice guys. If you get hacked, Don't publish it.

Re:They have no idea what was taken (1)

HomelessInLaJolla (1026842) | about 3 years ago | (#35812616)

If you get hacked, Don't publish it.
Most people don't even know about it. If the people who have pwned your system allow you to discover it is only because they are setting you up.

Sure glad... (1)

ugen (93902) | about 3 years ago | (#35812698)

Sure glad now I used a "shitty unimportant level" password for my wordpress.com account. Whoever it is, is welcome to keep it.

Re:Sure glad... (0)

Anonymous Coward | about 3 years ago | (#35812798)

Instead of "shitty unimportant level" passwords--you should be using a password manager and lots of great unique passwords.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...