"Im getting paid!" - Websites hosted on WordPress hacked due to users' poor password security

by Graham Cluley on October 18, 2012 | 1 Comment

Filed Under: Vulnerability

WordpressMillions of blogs hosted on WordPress.com can breathe a sigh of relief - although a hacker did manage to break into thousands of sites and publish a make-money-fast advert, it wasn't because of any vulnerability on the WordPress.com site itself.

Instead, it seems users had simply been careless with their password security.

The alert was initially raised by The Hacker News (THN) and Sucuri, after some blog owners received messages from WordPress.com telling them that their passwords had been reset.

One affected WordPress.com user told THN that he had discovered hackers had published a page containing a money-making advertisement (pictured below).

Hacked page on a WordPress.com website

A Google search for

site:wordpress.com "Im getting paid!"

finds evidence of thousands of sites that suddenly found they had unwittingly published "Im getting paid!" webpages.

Compromised accounts

Although some theorised that the hacker may have exploited a vulnerability on WordPress.com (which would be a very serious problem as the WordPress.com infrastructure is used by many of the world's most popular blogs and news sites), the truth seems to be rather more pedestrian.

Barry Abrahamson from Automattic (the company which runs WordPress.com) told Naked Security that there was no compromise of the WordPress.com servers, and that rather than vulnerability the most likely cause of the problem was "people sharing the same password across multiple services."

According to the firm, it spotted the problem quickly, notified affected users and reset passwords.

It's good news that the sites hosted on WordPress.com weren't hacked due to a vulnerability. After all, many blogs choose to host on WordPress.com in order to avoid the headache of managing their own security and updates on self-hosted WordPress installations.

So, remember folks - please use different passwords for different websites. If you use the same password in multiple places, it only requires your password to be stolen in one place for it to have an unpleasant impact on your other online activities.

Tags: , , ,

One Response to "Im getting paid!" - Websites hosted on WordPress hacked due to users' poor password security

  1. Jason says:
    October 22, 2012 at 5:15 pm

    We all need to be more proactive about our personal account security. One thing that can’t be stressed enough is taking advantage of the 2FA (2-Factor Authentication) which is offered for WordPress.com. I feel a lot more secure when I can telesign into my account with an OTP.

    Reply Report comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Graham Cluley has worked in the computer security industry for more than 20 years, developing anti-virus software and doing quite a lot of talking about internet threats. He's won awards for his blogging, but is proudest of the text adventure games he wrote when he was still wearing short trousers. You can learn more about those (the games, not the trousers) at grahamcluley.com. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.