WPML Confirms It Did Not Have a Security Breach

When WPML emailed new passwords to customers in plaintext, some customers thought it was due to a security breach. Amit Kvint, compatibility team leader for WPML, confirmed the emails are not a result of a security breach.

In a post on the official WPML blog, Kvint says the emails were a preventive measure to insure accounts remain secure, “The main purpose and underlying principle for this action was making sure everyone has a good new strong password, we consider this an important step in online security,” Kvint said.

Kvint acknowledges the improvements in WordPress 4.3 in how passwords are handled and admits that sending passwords in plaintext was not a good idea, “The best practice would be, once the password is sent, to login and reset the password to a new strong one. We will definitely revise the way this is done in the future,” Kvint said.

The blog post does not go into detail in how they determined passwords to be weak. To the best of my knowledge, WPML does not have a policy in place to enforce strong passwords. While no accounts were compromised, if some of the contacted customers choose a weak password, wouldn’t it defeat the purpose of resetting passwords in the first place?

8 Comments


    1. There are legitimate ways to work this out though. A simple rainbow table brute forcing would pick out the truly horrendous ones. And they could also check them on submission and have sent the emails out at that point perhaps.Report


      1. Yes, I agree. Microsoft did this before when they sent out emails to users who have weak passwords, but it can only catch those common weak passwords. I was curious as well to know how WPML did it since some users said their passwords were actually strong passwords.Report


      2. Just a thought. Only because I think its secure a third person might see this differently.

        I might think ffew45 is secure. I just run a small md5 hash test with 4179b02902dcac9408a13c0b95736c28 on http://www.hashkiller.co.uk/md5-decrypter.aspx

        Turns out, it’s not.

        Yes, I know, WP encrypts better than md5, but just as an example.Report


      3. From what I gathered from comments in another thread, the emails didn’t have anything to do with the actual strength of a password. I feel that they didn’t actually “detect” anything; they just made the (likely correct) assumption that there were at going to be a fair number of insecure passwords in general, then reset every account.Report


      4. They should have thought through before resetting every user’s password. First of all, there is no headsup email informing users of the upcoming password reset. Secondly, they reset each user’s password and sent the strong password in plaintext so user can change it later, doesn’t it beat their initial intention?Report


      5. There was a heads-up email, though I’m not sure how far in advance it was sent. Definitely agree with your second point though; that wasn’t well thought out at all.Report


      6. Jeff, you must have forgotten that you published that very head’s up email on your other post?Report

Comments are closed.