TechCrunch Hacked by OurMine, Attackers Target Weak Passwords

TechCrunch is the latest victim in OurMine’s summer hacking rampage. The site, which is powered by WordPress and hosted via WordPress.com VIP, was hacked this morning and defaced with a message from the attackers who identify themselves as an “elite hacker group.”

TechCrunch’s news ticker was updated to display: “Hello guys it’s OurMine Team, we are just testing TechCrunch Security, don’t worry we never change your passwords. Please contact us.” OurMine gained access to a contributor account and posted a similar message.

techcrunch-hacked-by-ourmine

According to a report from Engadget, TechCrunch’s sister site, the hackers gained access via a contributor’s weak password, not by exploiting a vulnerability in WordPress or the site’s plugins. TechCrunch was able to regain control of the site within minutes and delete the content created by the attackers in the admin.

OurMine is the same group that hacked Mark Zuckerberg’s Twitter, Pinterest, and LinkedIn accounts after he used the same password for multiple sites. Bad password security can make even the most secure websites vulnerable to these types of attacks. Although OurMine is primarily targeting high profile individuals and publications, WordPress sites are constantly the target of brute force attacks.

Security plugins like Wordfence, iThemes Security, and Jetpack’s Brute Protect module can help deter brute force attacks, but it’s virtually impossible to eliminate the human factor in poor password selection or the practice of using the same password for multiple online services. WordPress site owners, especially those who run publications that have many users with permissions, are especially vulnerable to attacks that target bad password security.

Although WordPress warns users about weak passwords, it doesn’t force them to create a strong one. Site owners who want to make this a requirement can use a plugin like Force Strong Passwords for extra security.

17 Comments


  1. Site owners who want to make this a requirement can use a plugin like Force Strong Passwords for extra security.

    Thanks for the tip on the plugin!

    Report


      1. I see that the plugin didn’t make it to core as of yet.
        Is it MultiSite compatible? I’d love to give it a go :).

        Report


  2. Wow… This is quite interesting. It is a good thing that this particular hackers had not malicious intent. It could have turned out very badly. I like iThemes Security they are quite good. The problem is most members in memberships site do not care much to create strong password and that causes issues for the site admins. I guess that’s where plugins such as Force Strong Passwords come in handy.

    Report


  3. is there a fail2ban implementation?

    Report


    1. If you read the article, you will see that it is in fact not being banned ;) That’s just a click baity title.

      Report


  4. Damn, I’m glad TechCrunch is still doing fine though. This is another great warning for us regular site owners to beef up our security features.

    Report


  5. I’m surprised a site such as TechCrunch didn’t have more parameters in place, they must get thousands of brute force attempts every day so surely a simple noCaptcha reCAPTCHA at least should have been implemented.

    Report


    1. That would only work if it were a brute force attempt. I don’t think there has been any hint that may have occurred here, just that a weak password was at fault.

      Report


  6. Just install the Human Weak Password plugin. If you create a weak password a hand reaches out of your computer monitor and bitch slaps you. ha ha ha.

    Report


  7. Something like this happening is why I prefer not to give contributors full accounts but use the Co-Authors plugin instead, especially if they aren’t tech savvy or would be just occasional or only one-time contributors (like guest posts from authors promoting their novels, or guest reviews or something).

    Still need to crack the whip on the folks with regular accounts… probably sooner rather than later :)

    Report


  8. Should WordPress core limit login attempts itself? Every account system should have this in place.

    Report

Comments are closed.