iThemes Confirms it Stored Customer Passwords in Clear-Text

Clear Text Password
photo credit: thegloamingcc

The CEO of iThemes, Cory Miller, published a second update concerning the security breach that occurred on Tuesday. After news of the breach, customers were left wondering whether or not their passwords were stored in clear-text. The latest update confirms that passwords were in fact stored in clear-text and affected approximately 60,000 customers.

There is no easy way to say this: We were storing your passwords in clear-text. This directly impacted approximately 60,000 of our users, past and current.

Yes, those credentials were used across our entire platform, from our iThemes membership login to your iThemes Sync login.

Passwords stored in clear-text allow hackers to easily obtain them if the database becomes compromised. According to the announcement, storing passwords in clear-text dates back to membership software used in 2009. Since that time, the company has been involved with a large migration process moving from legacy systems to newer technology.

Know that it’s not because we did not value your data. As an organization, we have been working on a very large migration process that has required us to interlink legacy systems with the latest technologies. Anyone that has ever gone through that process understands the complexities and challenges.

Frankly put, it’s been something we identified as a potential risk and are working rapidly now to rectify this issue as fast as humanly possible.

I asked the CTO of CrowdFavorite, Chris Lema, who has over 20 years of experience in enterprise and SaaS products, if what iThemes experienced is common. “I can tell you this isn’t the first or last time I’ve heard of legacy systems that needed to be migrated or code that needed to be refactored. Sometimes you do it before anything bad happens. Sometimes you’re not fast enough. The trick is to prioritize it, even when things are ‘working’.”

In order to avoid the issues iThemes is working through, Lema offers the following advice. “Companies that have legacy systems – especially membership sites or eCommerce sites with users/passwords need to create a strategy for migrating those old systems while keeping everything running. This often means the creation of several interim systems. In other words, the migration isn’t a straight path but a multi-stop journey.”

Honesty is a Virtue

Customers have expressed disappointment that a company who sells one of the most popular WordPress security plugins failed to adhere to security best practices. However, thanks to Miller’s honest approach of attacking the issue head on, a lot of those same customers are pledging their support.

Although this is a difficult situation for iThemes and its customers, the way Miller has handled the situation is an excellent example of leadership. The easiest thing to do in situations like these is to sweep it under the rug or go around the issue. While customers have every right to be outraged, Miller’s human and honest approach has kept a backlash to a minimum.

42 Comments


  1. Wellp. I’m done with them. Let’s have a new security plugins roundup!

    Report


    1. To be fair, their membership system predates purchasing WP Better Security (now iThemes Security). The plugin was developed outside of iThemes and only relatively recently brought into the company.

      Report


    2. A combo of WordFence and BruteProtect seems to work well BUT WF is a bit buggy and some times causes cache issues. The iThemees sec app did have some good feature but noting that you could not do manually via FTP/editor….

      Report


    3. I have been playing with WP recently, used to hack a bit and sorry to say it is 100% the easiest script to go for, especially for skiddies with pre-built bruters etc, the amount of people that uses stuff like Kraft123. I would tell you the length and depth of mine but that alone saves a hacker time. I think I brought this up and pretty much got SHOUTED AT IN CAPS in the beta/alpha forum. every other PHP script takes its OWN security seriously or is it one of those have it for free but get PWND if you don’t upgrade to pro this or that?

      If you google just general security measures for any website that is what most of these sec plugins do for you. Make the config unwritable, move the admin folder.. honeypot the admin folder.. I could go on all day but somebody might take it as a challenge, and I wouldn’t want my toy site defaced now, the Turkish music that generally goes with it is pretty cool though.

      If you no nothing about security make daily backs, failing that get hacked.

      The best way to learn how to fix something is to break it first. Peace <3

      Report


  2. I applaud the transparency but am saddened that, even in this day and age, after all the negative press surrounding previous security issues, it’s still possible that respected companies suffer breaches that reveal appalling internal security practices.

    Storing passwords in plain text is more than a “mistake”.

    Unfortunately, the resulting bad press will affect all of us who work within the WordPress community as we’ll have to field questions from clients concerned about security.

    I hope there’s no-one else out there in the WordPress business space who is feeling uneasy for the same reason. If there is, then you need to act. Now.

    Report


    1. I too find it impossible to excuse “storing password in plain text” and in this day and age you really can’t explain it off as a “mistake”.

      Credit for the honesty – that mustn’t be ignored – but it doesn’t make-good for such an awful security practice.

      Report


    2. There are cases where you need to store clear passwords, but not when you’re in control of all the systems involved.

      Let’s say I had a service that would automatically back up your website and/or upgrade pieces of it. You might want to hook this up via FTP. For such a case, I would need your FTP password, and I would have to keep it in cleartext, since I need to send it to your FTP server every time I connect to it. This is obviously a terrible thing to do for security, but still fairly commonplace.

      But for a setup where I am in control of all the pieces, then I should be able to adjust those pieces to eliminate this need. I don’t need to store passwords in the clear to have various servers under my control talk to each other.

      I have no specific information, but I suspect that for something like their “sync” service, they likely stored clear passwords in order to be able to talk to each server. Simplest way. A better approach would be to have some plugin on each server to do the communication in a more secure manner instead, but that’s a bit less user-friendly, realistically. The user has to install a plugin on each site they are setting up for control.

      Supporting legacy systems and code is difficult. Security should take top priority, always, but realistically it often falls by the wayside because it doesn’t sell as well as the newer shinier features.

      Report


    3. There is simply no excuse for not MD5in’ a pass… apart from wanting to hack lots of people for fun. It’s a pretty bold move to think people would not notice either. I will probably get one of my sites battered for these truths I had similar the other day but they failed badly, and I only have one wordpress site more for pen testing and playing with. It’s getting pretty good now IMO bar SEC.

      Even this article is making many of you possible marks…..

      Report


  3. While I applaud Cory for their communication strategy, their failure to better prioritize the security of their customer’s credentials throws a lot of mud in iThemes’ faces.

    Storing credentials in clear-text is failing basic security 101. This should have been a huge red-flag for them — taking priority over every other product, process, and system they manage.

    The trick is to prioritize it, even when things are ‘working’. — Chris Lema

    I couldn’t have said it better myself. This does not build trust. WTF were they thinking? Now it is too little, too late.

    Report


  4. I am (was) very close to using a handful of their plugins to manage / maintain client websites. I’m happy this happened before I made any purchases.

    Report


  5. I don’t understand how such a big company can do this big mistake. Everyone needs to be very careful with their security especially this days. You just don’t store passwords in clear text.

    Report


  6. Lets not forget that Cory and his team would probably give everything to undo this and are more than anyone painfully aware of the fact they screwed up.

    What they need now is support from the community to overcome this, for all the years they have been supporting the community.

    We need businesses like iThemes in the WordPress ecosystem and yes even when they make a mistake. I hope no customers will be seriously impacted and trust that iThemes will take good care of those that have been.

    Report


  7. I posted this comment on their blog which hasn’t been approved so far and I’m guessing it won’t be.

    Here’s the full comment: https://gist.github.com/swalkinshaw/ac674b72dc82965b0670

    And I’ll repost it here as well:

    It’s unbelievable that people are using words like “honesty” and “transparency” right now.

    iThemes is a company that KNOWINGLY stored plain text passwords for 6 years. Did they ever mention this until now? No. That’s not honest or transparent. They were hiding it from their customers for 6 years hoping that no one would ever find out.

    Two things are obvious about this:

    1) They don’t know what they’re doing when it comes to security.
    2) They don’t care about their customers enough to protect them and do things properly.

    Want further evidence of this? The main ithemes.com site is loaded over plain HTTP. They have a login form on every page which posts to another form over HTTPS. This isn’t secure and it leaves you open to MITM attacks. Their full sign up form is also over plain HTTP and has the same problem.

    These are things you would expect in 2005. Not 2014.

    The entire iThemes site needs to be HTTPS enabled with proper redirects and proper HSTS headers.

    How about more: they use the default PHP session cookies which aren’t set to either HTTP only OR secure (which is obviously since they don’t use SSL everywhere).

    What’s even worse is after the security breach, they just reset passwords and still continue to store plain text passwords. And then you hear Cory mention “salting and hashing”. I hope you don’t literally mean using something like MD5 plus a salt.

    Use Bcrypt. This was written in 2007: http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/

    PHP 5.5 has proper bcrypt support now: https://gist.github.com/nikic/3707231

    Your “counter measures” aren’t enough. This site should be shut down (or put in read-only mode) until everything is fixed.

    All iThemes customers should not be okay with what has happened and how they have dealt with it. I wouldn’t even log in to this site until it’s at least fully HTTPS compliant.

    Report


  8. “(…)storing passwords in clear-text dates back to membership software used in 2009. Since that time, the company has been involved with a large migration process moving from legacy systems to newer technology.”

    They were lucky. After all, the passwords were stored unencrypted for 5 years!
    Thank God I’m not their customer.
    Excuse me my bad english.

    Report


  9. Think about all the folks who use the same password for all their logins, plus the hackers have most of their details. Let’s say they start skimming banks, Paypal and all the other online opportunities. Who’s liable?

    Report


    1. The person with the weak password IMO. It’s almost like some people are asking to get robbed.

      Is anybody noticing a pattern of WP sites getting hacked more than any other script for the last however many years. I don’t think one party alone is to blame though it’s just ruined there company/brand completely. This is almost laughable, no.. it is :D

      Who wants a bet? Guess my WP password in 100 tries and I will give you $100, if not you give me £500?? Deal???

      Report


  10. The reliability of the iThemes Security plugin (formerly known as Better WP Security) and the issue of compromised customer accounts at iThemes are unrelated matters. iThemes Security is a product that iThemes sells. The plugin developer is not the iThemes security officer and did not have oversight for the security practices at the company. Cory Miller already admitted that the breach was due to a legacy membership system, not anything having to do with their own products. Cory even acknowledged that the iThemes product developers were not responsible for the breach and I’m guessing that they may not have known about the passwords being stored in plain text until it was too late. I offer kudos to Cory for being transparent, and I recommend people to not be so quick to dismiss iThemes products that were not in any way responsible for the incident.

    Report


    1. Michele, did you read my comment above?

      This argument about iThemes being innocent in this completely falls apart when their own website is designed so poorly security wise. They have so many issues you can’t just ignore them.

      There’s nothing transparent about running software for 6 years and never informing customers that their passwords are stored in plain text. And there’s no way they didn’t actually know this for the majority of that time.

      If their product uses 3rd party software, it’s still part of THEIR product and their responsibility.

      Report


      1. Scott, with all due respect, did you read Michele’s comments? :)

        Her point was that while iThemes is clearly culpable (and Cory even admitted as much), the company’s poor account security practices are unrelated to the quality and value of their products, some of which were initially developed independently of iThemes and later acquired (as in the case of the iThemes Security plugin).

        While it is reasonable to hold Cory accountable (as he has done himself) for the company’s failings, it is not fair to tar the plugins with that same brush. While I can understand people’s reluctance to purchase new products until this issue has been completely resolved, the existing products still work as intended. In fact, as far as I can see, you can use the free version of the iThemes Security plugin right now without any concern for its reliability. Speaking for myself at least, I haven’t lost faith in the free plugin.

        Report


      2. Jackie, in two comments I’ve never once mentioned their plugins. I’m not claiming to know anything about them. When I was talking about their product and software I’m only referring to their website. Even in my first more critical comment I said they should shut down their site or at least customers shouldn’t log in.

        Although I do happen to disagree with you. I don’t know how you can say that these things aren’t related at all (obviously it doesn’t apply to plugins they acquired and didn’t write).

        Report


      3. So you’re suggestion that the company operates in a state of constant duplicity? We’re supposed to trust a company as authoritative on security, when they can’t even seem to secure, in a most basic way, their own internal systems?

        A bit like saying we should trust the babysitter that let’s her own kids play with knives and fire, because that’s unrelated to how they might care for your children.

        I’m not sure if this is just clever trolling

        Report


      4. And what about iThemes Sync and their Membership add-on for iThemes Exchange?

        You don’t seriously expect anyone to trust either now, do you?

        After all, they didn’t buy these plugins from someone else. They have always been part of iThemes.

        If iThemes didn’t even trust their membership plugin to run their own membership, why should anyone else?

        Honesty after the fact isn’t the same as demonstrating total confidence in your own product by actually using it yourself!

        Report


  11. Something of a key question is who did the due diligence on the purchase of better WP security? and which parties I themes are currently responsible for ensuring the security of the current and upcoming releases of said product.

    Having one programmer working in a corner handling half the WordPress security of the world when surround by people who would make mistakes so basic and so potentially disastrous does not sound like a formula for success.

    Particularly if you are self hosting, but even if you are not you should and make sure that your system is as secure as possible without the software before applying it as an additional tool.

    Kurt

    Report


    1. I knew Chris Wiegman pretty well and know that when he got to iThemes he saw some issues and thought he was going to be able to help him fix them. Considering all the problems he’s had in the code while he’s been there and the rate of new features it is pretty obvious that he probably isn’t given any support for his plugin much less has had a chance to help elsewhere (assuming they even let him). He beat this stuff (including password security) into my own head over a number of years in Illinois and, if he’s not planning his exit already, I know he takes security way to seriously to let them continue the mistakes. I’ll keep using his stuff myself but I will, I admit, be a bit relieved if it isn’t released under the iThemes name. I trusted him with my life in the cockpit and have no problem trusting his work on my websites.

      Report


      1. Looks like you called it. Chris W. is no longer with iThemes as of May of 2015.

        Report


  12. It could just be the hacker came to ithemes’ office and copied the password text file into a usb drive. Easy peasy hacking! :D

    Report


  13. I have quite a few thoughts here and I won’t apologize for what I am about to say.

    iThemes has made it’s share of mistakes over the years. They have done some stupid things, no doubt. But let me ask you this … when was the last time YOU launched a business that has done it’s best to help thousands of people and provide jobs for talented people in the WordPress community?

    Cory and I have had our differences over the years, but one thing I’ve always admired is that he and iThemes are trying to help make people’s lives better. Whether a person believes that or not is up to them, but I certainly know they care more about people in the WordPress community than some of the other “rockstar brands” out there.

    What I feel people should do is rally around iThemes and their team and ask how they can help to make this better. Stop casting stones and pointing fingers because we ALL have made mistakes.

    I get that they are supposed to be trusted experts and that this problem occurred and that it’s easy to say that this devalues their brand. But let me ask you this. What about the security breaches we’ve experienced with billion dollar companies over the past year? How many people stopped doing business with them or deleted their accounts.

    If you are a friend of iThemes, then a true friend walks through the crap with them, even if it means getting crap on their own face. If you’re not a friend, then feel free to throw your own feces … eventually you’re going to get some back.

    Just my thoughts for today. Keep your heads up iThemes and press forward!

    Report


  14. Some thoughts on this whole episode – A key piece of iTheme’s business infrastructure (which they were planning on migrating/updating from if I understand their communications correctly) was vulnerable and attacked. It’s a real shame the passwords were stored in plain text but apparently that vulnerable business system used to only do plaintext passwords until 2011.

    So if you started a business in 2008 (like iThemes did) and you’re busy trying to make money and build up your company, its easy to see how these business systems get pushed to the back as far as time and resources and attention go because they don’t directly make the money the business needs to survive and grow.

    I think what this episode really illustrates is to make sure your business infrastructure is easy to replace if needed and to make sure to invest a portion of your business time and resources in updating and maintaining your business infrastructure.

    So instead of taking iThemes to task – which they’ve already admitted they’ve made a mistake and are working on fixing the problem and making sure it doesn’t happen again – what are we doing to make sure our essential business systems are getting appropriate attention and maintenance? Or making sure we have a replacement *when* our systems are attacked and compromised?

    I do think iThemes has done a really great job of explaining what has happened, admitting the mistake, explaining how to mitigate the issue, and that they’re in the process of permanently fixing the issue. And they’re being very transparent about it. I like that.

    Report


  15. “Although this is a difficult situation for iThemes and its customers, the way Miller has handled the situation is an excellent example of leadership.”

    Very diplomatic, but untrue. Excellent example of leadership would have been to not breach the customer’s trust in the first place by acting with due haste in the migration. Tuts+ happened over 2 years ago. aMember updated since 2011. No excuses.

    My take is very different from yours: http://purpo.se/accountability/

    Report


    1. I haven’t seen your spat with Chris Lema, but your blog post is beautifully written and quite right.

      If anything, you’re actually more generous to Lema than he probably deserves. His reaction to the iThemes hack demonstrates what happens when someone who has become a sort of community leader (whether he wanted that role or not) is shown to have been recommending someone else whose practices are seriously flawed.

      He can either say that he messed up in making the recommendation without using his apparent friendship to find out some salient details (like how iThemes was storing its data), or he has to minimize the issue as “just a mistake.”

      If he had chosen the first option, presumably he’d now be revisiting all his significant recommendations to make sure that there isn’t another surprise lurking. But he didn’t, so he probably won’t.

      Does that mean that a similar episode with one of his “friends” is likely to happen? I don’t know. But, if it does, I do know that he won’t be able to say that that was just a mistake too. Otherwise few would listen to him again.

      Report


    2. @E.T. I agree with the sentiment, but there are some inaccuracies in your own article. You’re calling Cory Miller a dev and self-proclaimed security expert, I don’t think he claims either. He just runs a business that has a security plugin among its portfolio. Meanwhile, Lema has ties to Ithemes so he is naturally going to sympathise.

      To me it’s just a plain case of procrastinating on something that should be taken far more seriously and dealt with a long time ago. I don’t think people should spring to their defense when they failed their customers in an inexcusable manner. It’s strange to me that a lot of folks are downplaying the issue. I think that sets the wrong example; that it’s okay to make these kinds of mistakes, you can always recoup by being transparent in case things go wrong.

      The business lesson is good though, every communication is an opportunity to strengthen relationships, and they’ve managed to do that. They’ve also managed to control the narrative before being outed by another party, which would look a lot worse.

      Report


  16. Again, iTheme has admitted to it’s mistake and they are actively trying to fix it and make sure it doesn’t happen again. Cory and his team get it – they allowed a big mistake to happen by failing to maintain and update essential business infrastructure. But we also need to remember that it was an outside party that attacked them and we can’t assign all the fault at iTheme’s feet. Somebody with malicious intent attacked their business.

    And while everyone can feel upset at iTheme’s mistakes, if we as a WordPress community can’t forgive, assist, and learn from these mistakes – our own or others – then this is not a healthy community. We will end up driving away good people who want to make the world a better place simply because they made a mistake and we won’t forgive them for it.

    Report


    1. This is where so many iThemes apologists go wrong. It’s not about “good people” (whatever that may mean: even the most despicable souls have someone who loves them). It’s about good practices.

      Where you go right is with the sentiment of making sure it doesn’t happen again.

      And this is why it’s practices that matter, not being “a good person.” After all, if it does go wrong again, I assume Mr. Miller will still be a “good person.” He just won’t be someone whose company many of us will consider worth doing business with.

      Report


      1. Well its your prerogative to not forgive them for their mistakes that they’re trying to fix. I kind of find that view rather short-sighted and unproductive. Instead of focusing on anger and vindictiveness (“look how lousy they are!”), I think we should be focusing on how to better solve these problems and prevent them in the first place. Like iThemes says they’re trying to do.

        Has their reputation been tarnished? For sure. Will they be better in the future than they are now? We’ll see. But if we don’t even give them a chance, than we’re being just as malicious as the original attackers that breached iTheme’s systems.

        Report


      2. Strange — but telling — that you don’t actually address my points, but decide to argue with something I didn’t say.

        It’s not about “forgiveness” any more than it’s about being a “good person.” It’s about good practices.

        They didn’t adopt them before. The question is whether they’ll adopt them now. Neither of us knows. But if they don’t, they’ll be sunk. And neither “forgiveness” nor being a “good person” will come into it.

        Report


      3. @KTS915 – let me apologize for my last response that suggested you were not going to give iThemes a fair chance to fix the issues. That was uncalled for and I apologize.

        I think I see where you’re coming from and I agree regarding your point about iTheme’s failure to use best practices. But all the best practices in the world won’t stop human mistakes or malicious attacks from happening. And business decisions made at one point in time for perfectly reasonable reasons can turn around and bite you six years down the road. The reality is we can’t predict the future or read minds. We just do the best we can with the information we have – and this is why I think it’s best if we give people the opportunity to change for the better.

        In regards to my usage of the terms “good” and “forgiveness”:
        I use good as in “providing benefit”, not in the moral sense.
        I mean forgiveness as in “to stop feeling angry or resentful toward someone for an offense, flaw, or mistake”

        Thanks for the discussion.

        Report


      4. Robin: Exactly!

        Ben: Apology accepted!

        Report


      5. Ben, I think you miss what good practices means when you say “But all the best practices in the world won’t stop human mistakes…”

        Best practices are akin to a checklist, if you will, that has been accepted as the best way to mitigate disaster. Pilots, surgeons and many other professionals follow them and swear by them.

        You either follow best practices or you don’t.

        If you follow them, you are competent, knowledgeable and professional.

        If you don’t… it is many things but “human mistake” is certainly not one of them.

        Report


      6. Personally speaking, I will never use an iThemes product again. I will also encourage others not to ever use an iThemes product. In your opinion, this makes me just as malicious as the attackers that breached iThemes’ systems.

        I’m fine with that.

        I look at this whole situation as a person who paid iThemes over $100 for two WordPress products, Builder and BackupBuddy. Even though I don’t use either product anymore, all of my information was allowed to fall into the wrong hands. They, iThemes, failed to be good stewards of my information, even though they collected money from me.

        It irritates me to no end that they were storing passwords in plain text. It infuriates me that according to Cory Miller, they are STILL storing passwords in plain text.

        Report

Comments are closed.