iThemes Suffers Security Breach, Customers Urged To Reset Passwords

iThemes LogoiThemes published details on a security breach that took place earlier today. According to the announcement, after noticing suspicious activity, they noticed a signification attack on their membership database. iThemes urges all customers to reset their passwords immediately. To protect accounts from any unauthorized access, iThemes has temporarily reset all user passwords. To regain access to your account, you’ll need to reset your password.

The attackers could gain access to the following customer data:

  • Username
  • Password
  • Email address
  • First and last name (if you set it)
  • IP address
  • The names of products you purchased
  • Coupon codes you might have used
  • Access times
  • Payment receipt information (but no other payment info)

Since a third-party payment processor is used, credit card information is not at risk of being obtained. iThemes is working to figure out how the attack happened, ensure the security of the rest of their servers, and make sure the site is safe for visitors to browse. The team has outlined a three-step process towards accomplishing these tasks.

  • We are performing a review / audit of our Information Technology (IT) Stack
  • We are performing a review / audit of our Products and their code base
  • We are reviewing and updating our Security Incident Response and Detection procedures

iThemes is partnering with security service company, Sucuri, to help with the discovery process. The CEO of iThemes, Cory Miller, concluded the announcement with the following statement.

I deeply apologize for this event. Security is a staple of the service and products we provide and I assure you we will do everything we can to analyze, understand how this occurred and seek to prevent it from happening again.

Know that your personal information is of the utmost priority to me and if you have any questions or concerns, please let us know.

Although no business owner wants to go through an experience like this, I give kudos to iThemes for being upfront and honest with their customers instead of waiting for days. If you’re an iThemes customer, please make the effort to change your password as soon as possible.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

20 Comments


  1. Can we get any information on how the passwords were stored? Were they in plain text, hashed, salted and hashed?

    Report


    1. On the iThemes site, there are reports of the current/new passwords being limited to 20 characters, which would also indicate that they’re probably stored in clear text.

      Report


    2. I tried to help spread the information as fast as possible. Most of the information in the post is directly from iThemes in which they didn’t specify. Hopefully a representative of iThemes will stop by and clarify or add that information in a follow up post.

      Report


  2. thanks for this info. I only have a free ithemes plugin and was able to get into my site, with my wordpress login, is this because I dont have the premium version?

    Report


    1. @Webdesinz – this only pertains to your account on ithemes.com – assuming you have one. If not then there’s no need to worry, if so then you’ll want to change your password there.

      Also worth pointing out, if you do have an ithemes account and you use the same password for your wp login, (or anywhere else on the web, to be honest) you’ll definitely want to change that as well.

      Report


      1. Thanks that is fine then, I only downloaded the plugin from within my plugins on dashboard, and clicked the settings buttons to configure it there, I didnt actually log into ithemes website to join up.

        Report


  3. THIS, is how you handle notification/management of breaches. PROPS TO CORY MILLER AND THE TEAM.

    Report


    1. This has no bearing on the iThemes Security plugin which was not installed on the site in question.

      Report


      1. Well, then why some else should use their security plugin since they are not using it in their most sensitive place?

        Report


      2. Not using your own security plugin on your own site, does not inspire confidence :P

        Report


      3. It looks like this wasn’t a WordPress powered site, so the plugin couldn’t be used anyway.

        Report


      4. Sometimes you download software and you just can’t believe how bad it is, or how hard it is to accomplish the very simple tasks that the software tries to accomplish. Chances are, it’s because the developers of the software don’t use it.

        – Joel on Software

        not to imply that anything ithemes does is low quality, but it is still double strange they don’t use wordpress and therefor their own themes and plugins for the site.

        Report


      5. It looks like this wasn’t a WordPress powered site, so the plugin couldn’t be used anyway.

        @Ryan Hellyer – I’m curious how you reached that conclusion? ithemes.com is a WordPress site using the Builder framework. Are you looking at a different site or did you just make that up?

        Report


      6. Hmmm. I didn’t make it up, but I did base it on reading the comments on post on their website. They mentioned that there is a 20 character limit on passwords, which indicated to me that they’re using a different authentication mechanism, which made me assume it wasn’t running WordPress, since jerry rigging a new authentication/user management system on top of WordPress seemed awkward and kinda pointless.

        Report


  4. Kuddos to the iThemes team for being so quickly proactive on this issue. Unfortunately no matter how much or how little security is on a site, this just goes to show that no site is ever 100% secure. That is the first lesson in security. While I am sure we will never know how the got in or exactly what was compromised, I have full faith that they will fix the breach.

    Report


  5. Oh my……. and they even have a security app out if I’m not mistaken. WP = EASY TARGET.

    Report


  6. The users must be horrified knowing that their info is being hacked.

    Report

Comments are closed.