The CEO of iThemes, Cory Miller, published a second update concerning the security breach that occurred on Tuesday. After news of the breach, customers were left wondering whether or not their passwords were stored in clear-text. The latest update confirms that passwords were in fact stored in clear-text and affected approximately 60,000 customers.
There is no easy way to say this: We were storing your passwords in clear-text. This directly impacted approximately 60,000 of our users, past and current.
Yes, those credentials were used across our entire platform, from our iThemes membership login to your iThemes Sync login.
Passwords stored in clear-text allow hackers to easily obtain them if the database becomes compromised. According to the announcement, storing passwords in clear-text dates back to membership software used in 2009. Since that time, the company has been involved with a large migration process moving from legacy systems to newer technology.
Know that it’s not because we did not value your data. As an organization, we have been working on a very large migration process that has required us to interlink legacy systems with the latest technologies. Anyone that has ever gone through that process understands the complexities and challenges.
Frankly put, it’s been something we identified as a potential risk and are working rapidly now to rectify this issue as fast as humanly possible.
I asked the CTO of CrowdFavorite, Chris Lema, who has over 20 years of experience in enterprise and SaaS products, if what iThemes experienced is common. “I can tell you this isn’t the first or last time I’ve heard of legacy systems that needed to be migrated or code that needed to be refactored. Sometimes you do it before anything bad happens. Sometimes you’re not fast enough. The trick is to prioritize it, even when things are ‘working’.”
In order to avoid the issues iThemes is working through, Lema offers the following advice. “Companies that have legacy systems – especially membership sites or eCommerce sites with users/passwords need to create a strategy for migrating those old systems while keeping everything running. This often means the creation of several interim systems. In other words, the migration isn’t a straight path but a multi-stop journey.”
Honesty is a Virtue
Customers have expressed disappointment that a company who sells one of the most popular WordPress security plugins failed to adhere to security best practices. However, thanks to Miller’s honest approach of attacking the issue head on, a lot of those same customers are pledging their support.
Although this is a difficult situation for iThemes and its customers, the way Miller has handled the situation is an excellent example of leadership. The easiest thing to do in situations like these is to sweep it under the rug or go around the issue. While customers have every right to be outraged, Miller’s human and honest approach has kept a backlash to a minimum.