TechCrunch Hacked by OurMine, Attackers Target Weak Passwords

TechCrunch is the latest victim in OurMine’s summer hacking rampage. The site, which is powered by WordPress and hosted via VIP, was hacked this morning and defaced with a message from the attackers who identify themselves as an “elite hacker group.”

TechCrunch’s news ticker was updated to display: “Hello guys it’s OurMine Team, we are just testing TechCrunch Security, don’t worry we never change your passwords. Please contact us.” OurMine gained access to a contributor account and posted a similar message.


According to a report from Engadget, TechCrunch’s sister site, the hackers gained access via a contributor’s weak password, not by exploiting a vulnerability in WordPress or the site’s plugins. TechCrunch was able to regain control of the site within minutes and delete the content created by the attackers in the admin.

OurMine is the same group that hacked Mark Zuckerberg’s Twitter, Pinterest, and LinkedIn accounts after he used the same password for multiple sites. Bad password security can make even the most secure websites vulnerable to these types of attacks. Although OurMine is primarily targeting high profile individuals and publications, WordPress sites are constantly the target of brute force attacks.

Security plugins like Wordfence, iThemes Security, and Jetpack’s Brute Protect module can help deter brute force attacks, but it’s virtually impossible to eliminate the human factor in poor password selection or the practice of using the same password for multiple online services. WordPress site owners, especially those who run publications that have many users with permissions, are especially vulnerable to attacks that target bad password security.

Although WordPress warns users about weak passwords, it doesn’t force them to create a strong one. Site owners who want to make this a requirement can use a plugin like Force Strong Passwords for extra security.


17 responses to “TechCrunch Hacked by OurMine, Attackers Target Weak Passwords”

  1. Wow… This is quite interesting. It is a good thing that this particular hackers had not malicious intent. It could have turned out very badly. I like iThemes Security they are quite good. The problem is most members in memberships site do not care much to create strong password and that causes issues for the site admins. I guess that’s where plugins such as Force Strong Passwords come in handy.

  2. Something like this happening is why I prefer not to give contributors full accounts but use the Co-Authors plugin instead, especially if they aren’t tech savvy or would be just occasional or only one-time contributors (like guest posts from authors promoting their novels, or guest reviews or something).

    Still need to crack the whip on the folks with regular accounts… probably sooner rather than later :)


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: