24 Comments

  1. Stephen

    Makes sense when I started getting fake emails from wordpress theme companies I never heard about and never signed up for. WPLab (xyzwplab at gmail.com> Something about EngineThemes.

    Report

  2. Drew Jaynes

    Thanks for the heads up, Jeff. I (unfortunately) saw it here first. As a customer of Templatic (several years ago) I’d think I would’ve heard it from them. Guess not.

    Report

  3. Ramesh

    This is scary. Templatic is behind a WAF and still it was hacked? Or perhaps they secured their site with Sucuri WAF only after the hack?

    Report

  4. Miroslav Glavic

    we will share it on our social mediate accounts

    should be

    we will share it on our social media accounts

    Report

  5. Saurabh Shukla

    I sincerely hope Templatic shares the how and why of this incident as well as the recent security vulnerabilities in their products, so everyone else can learn from it and avoid a similar fate for themselves and their customers.

    Report

  6. WPVKP

    Templatic :: System Details: Running on: Sucuri/Cloudproxy

    They already have the sucuri protection and still they have been hacked.

    Report

  7. Ryan Hellyer

    This reminds me of all the times companies have asked me to share FTP/SSH credentials via their support systems and wondered why I refused to hand them over. If details like that are going to be shared, they need to be deleted immediately so that these sorts of problems can not occur.

    Report

    • Bhavesh

      You are right Ryan,

      Customers however have different level of technical knowledge. Sometime, they don’t even know what a theme or plugin is. We ask for FTP in order to speed up the issues they are facing instead of making them go through the technicalities (which frustrates them very quickly).

      Downside is that things like this can happen. At the moment we are using Groove.com SaaS helpdesk so no issues there. But our old helpdesk did have some tickets there.

      Report

      • Ryan Hellyer

        But you could just (fully) delete them straight away. Then the data would not be stored in the database and only fresh data could be compromised at least.

        Report

        • Terence

          I have used LastPass for many years and on my mobile phone too.

          A very smart server admin introduced me to it and suggested I use it to share my login credentials with his company.

          LastPass has the ability to share login credentials without letting the password be seen by the person you’re sharing it with, you can see in their logs if the credentials have ever been used, and the share can easily be revoked.

          Works for me and I bet it would work for most people here too.

          Report

  8. Jeffrey

    This is too sad. I hope those affected customers didn’t use the same password as their financial account password.

    Report

  9. Manni

    The link to the “free site scanning tool” mentioned in the post sends you to Sucuri who scans you site and never ever finds a firewall, even if you have one. Point being is that Sucuri wants to sell it’s services, so I am suspicious about the results. I guess the author should’ve suggested a truly free service not out to sell stuff.

    Report

Comments are closed.

%d bloggers like this: