WPML Alleges Former Employee Breached Website and Took Customer Emails

Over the weekend, many WPML customers received an unauthorized email from someone who claimed to have hacked the company’s website and gained access to customer emails. WPML founder Amir Helzer suspects that the attacker is a former employee.

“The customer is an ex-employee who left an exploit on the server (not WPML plugin) before leaving. Besides fixing the damage, we’ll also be taking legal actions,” Helzer said Saturday night.

The WPML team worked around the clock over the weekend to secure their systems and sent out an email informing customers of the incident. They also assured customers that the WPML plugin does not contain an exploit and that payment information was not compromised. The company published an announcement to their website, detailing the incident and their response:

We updated wpml.org, rebuilt everything and reinstalled everything. We secured access to the admin use 2-factor authentication and minimized the access that the web server has to the file system.

These are more precautions than actual response to the hack. Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee.

This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information. In any case, the damage is great and it’s done already.

WPML urges customers not to click on any links in the email the attacker sent out and recommends they change their passwords for wpml.org. The attacker has customer names, emails, and sitekeys, but WPML said the sitekeys cannot be used to push changes to customer websites.

Helzer is convinced that the attack was an inside job and suspects two former employees. He and his team are working to provide evidence to the authorities. He said the the nature of the attack demonstrates that it was likely not an outside hacker:

  • The first time our site was breached was on the day we fired an employee, who had access to our servers. We didn’t identify the breach at that time. However, once we got hacked, we analyzed the original hole and we found in our log when it was placed (yup, he deleted the log, but he didn’t delete the backup). Now that we finished cleaning up the mess, we’re going through all logs and collecting the full evidence.
  • The attacker targeted specific code and database tables that are unique to our site and not generic WordPress or WPML tables.
  • The attacker crafted the attack so that it would cause us long term damage and not be apparent in first sight. That long-term damage is very difficult to guess without knowing our business objectives and challenges. This is information that our employees have, but we don’t disclose.

The idea that a former employee who is known to the company would risk performing these illegal actions is difficult to grasp, even in the case of someone who was fired and may have been acting in retaliation. The risks of being caught seem too great.

“In many jurisdictions including the USA, this is jail time,” Wordfence CEO Mark Maunder said. “So I find it quite incredible that an employee would leave a backdoor, use it to deface their site, steal their data and email all subscribers. This is the infosec equivalent of walking into a police precinct and tagging the wall while the cops watch.”

Helzer said the incident should serve as a wakeup call for companies that employ remote workers. It highlights the importance of having procedures in place for revoking employee access to all systems used as part of day to day operations.

“We have to admit that our site was not secured well enough,” Helzer said. “If someone previously had admin access and stopped working for us, we should have been more careful and avoided this situation.

“This can be a wakeup call for others. We talk a lot about the benefits or remote work and most of the WordPress industry works remotely. This made us realize that we need to be a lot more pessimistic when we allow any access to our system.

“For example, the fact that we’re now coding for ourselves a requirement to login with 2fa, means that we’re not alone in this exposed situation.”

The attacker’s unauthorized email and WPML’s response email went out over the weekend, so many customers will be learning of the incident today when they return to work. Helzer said customers have been supportive so far.

“I think that customers appreciate the fact that we contacted them as fast as we could and we dropped everything and ran to handle this,” he said. “I think that we’ll still have damage. Clients did not run away from us right now but a good reputation is something that you build over years. A nasty incident like this stays ‘on your record.’ This is our livelihood and we take it seriously.”

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

16 Comments


  1. Sadly, whilst major economies have laws to punish this type of abuse, doesn’t stop it from happening, regardless if the (ex) employee knew the consequences or not.

    Your tagging example is a case in point. Most people know that, when stopped by a police officer, punching them in the face is not going to end well, but this happens every day.

    Judicial consequences have never been proven to be a deterrent to improper action, at least not to all the population. If, for example, the perpetrator was severely depressed, judgement will not enter into the decision to do the act. In many jurisdictions, that is no defense.

    Report


  2. “The idea that a former employee who is known to the company would risk performing these illegal actions is difficult to grasp, even in the case of someone who was fired and may have been acting in retaliation. The risks of being caught seem too great.”

    People are caught for poorly thought out crimes of passion all the time.

    Report


  3. This is what I did when I fired an employee at my company…

    1) I called security to cancel his security card/access card
    2) I cancelled his @companyname.com e-mail address
    3) I cancelled his access to everything in the company
    4) I called him and asked him to come to the office right away.
    5) When he arrived, security escorted him to my office.
    6) I took his cell phone (company cell phone).
    7) I asked him to sit down
    8) I cancelled the cell phone
    9) I told him that he was fired, explained the reason
    10) I gave him all his personal belongings from his office
    11) I called security to escort him out of the building
    12) Security escorted him out

    By security I mean 1 staffer that sits in the front desk of the first floor.

    WPML should of cancelled his access to the server and any company e-mail and so forth THEN fired him

    Report


    1. This sounds extreme.

      What about the notice period? Weren’t you supposed to let the employee know in advance?

      Report


      1. Not necessarily. In many places, a certain number of weeks worth of pay can be given in lieu of notice.

        Report


      2. In my state, you can fire an employee on the spot for any reason (aside from obvious things like discrimination). No notice required.

        Report


    2. Seeing as they used an old SSH password, I would add to your list: audit all passwords to make sure there’s nothing lying around they could use.

      Report


      1. Marc, I covered that in 3)

        Report


      2. @Miroslav

        I thought they meant the former employee used a more “generic” SSH password, one that was assigned, e.g., to a project, not a person.

        Report


    3. And you still have employees in your “Company”? Treating people as criminals. What is it, a branch of KGB?

      Report


      1. How is this a branch of the KGB? All I said is an hour before you fire an employee, you cut off their access to the system/server and so forth.

        I had admin access to many companies I worked for over the years, even 3 years after I stopped working for those companies. THAT is a HUGE security problem.

        Report


    4. @Miroslav

      It is funny that you always know best and that your situations always apply to the rest of the world somehow.

      Report


      1. I never once said that. Former employees shouldn’t have access to the company systems. Fired employees sometimes try to “get revenge”.

        Report


  4. This is a rather common scenario.

    I often have to contact companies to remind them to disable my access to their internal systems. I often discover I still have access many years later.

    Report


  5. I don’t buy this. Why would someone risk their freedom for no financial gain. This isn’t a hacker it’s a whistleblower. If it was a backdoor exploit then why this statement:

    ‘We updated wpml.org, rebuilt everything and reinstalled everything. We secured access to the admin use 2-factor authentication and minimized the access that the web server has to the file system.’

    Why not just remove the backdoor if everything was already perfectly fortified?

    If a bank teller steals they don’t rebuild the bank…

    Report

Comments are closed.