Important Update

Written by Magnus Jepson on May 14, 2014 Blog.

This is a follow-up post to our last post Important information for all WooThemes Customers

This last week has been our biggest tests to date. The whole team has been working day and night to get as much information as possible from our security breach. We’ve been in direct contact with customers who have been affected, and we can’t thank you enough for being so positive and supportive, even though some of you have had to cancel your credit cards and file claims with your financial institutions.

Investigations are still ongoing with many parties involved. However, we believe in being as transparent as possible, and we want to update you all on what we do know so far, and what steps we have taken to make sure this never happens again.

What We Know

  • Customers who purchased after November 27th 2013 up until May 8th 2014, are suspected to be affected by this breach (we have contacted all potentially affected customers via email).
  • We believe these sophisticated criminal hackers had intercepted some credit card details between checkout and our off site credit card processor.
  • The intruders are believed to have started using the credit cards around May 1st, and we received the first report on May 3rd.
  • On May 7th we had received 20 reports, and we involved our payment gateway and WPEngine (who involved security consultants) to investigate.
  • We took our payment gateway offline on May 8th.
  • We emailed 230,000 customers on May 9th and went public on our blog about the breach.
  • WPEngine and their security consultants are still unsure as to the point of entry or how the information was leaked. This remains an ongoing investigation.
  • There is no evidence that shows any signs of WooCommerce code vulnerabilities. If our further investigation show any insecurities in our products, we will of course take immediate steps.

What We Have Done

We want to make sure that this never happens again. Here are the steps we’ve taken so far:

  • Full security audit of our servers by WPEngine.
  • We have reset all passwords as a precaution. We strongly recommend using 1Password to create and store a strong, unique password for your account. Click here for an exclusive discount on 1Password.
  • We have moved our payment off-site, using PayPal Express, for the most secure checkout experience.
  • We have moved parts of our website off-site, and will continue to do so (product changelogs and downloads).
  • We have updated our SSL certificate as a precaution.
  • We have installed Duo Security (two-factor authentication) for all admin accounts.
  • We are hiring a security/sysadmin to make sure we don’t rely solely on others with such vital cogs of our business going forward.
  • We will continue to conduct security audits of WooCommerce (like we have done in the past) and continue to do so on every major release.

We’re Sorry

We wholeheartedly apologise for this inconvenience. It frustrates us immensely that these criminals have not only attacked us, but our customers and our community. We will strive to ensure this will never happen to us again.

If you have any further questions, do not hesitate to contact us.


27 Responses

  1. Jay Doubleu
    May 14, 2014 at 4:35 pm #

    I had 2 of “those phone calls” from 2 credit card providers at the beginning of last week. It’s nice to be made aware of where the breach came from.

    Glad to see that this has been resolved, moving forward offsetting your gateway responsibilities to PayPal is likely the best move.

    Thanks for the transparency.

  2. sebataro
    May 14, 2014 at 4:36 pm #

    Thank you very much for your transparency and counter measures.

    Thank you for the coupon too.

    I will keep on using your company great services.

    Kind regards.

  3. Dan
    May 14, 2014 at 4:37 pm #

    I am pretty frustrated as I had to cancel both my credit card AND business debit card because both of mine were hacked! BUT, I am glad to finally know what happened and have my mind put at ease that things are being done to fix it.

  4. Antonis
    May 14, 2014 at 4:37 pm #

    This is crazy. Two of my card details have been stolen. Thanks alot guys…

  5. jimmycrow
    May 14, 2014 at 4:37 pm #

    My cards are used for several small purchases for a SKYPE type app for long distance service. My bank caught it very quickly so no harm.

    Thanks for the transparency.

  6. Nate
    May 14, 2014 at 4:37 pm #

    Yeah, I had $708.12 for tickets to the Carribean taken out of my account last week. I called the bank and filed a claim while it was pre-auth. It posted and overdrew the account. So that was awesome. Glad I know where it came from, but I still haven’t gotten the money back so I found your email with a discount code appreciated but unfortunately, until I get my money back, no money for you.

  7. spotlightweb
    May 14, 2014 at 4:38 pm #

    All large vendors will be compromised at some point in time, that is the nature of our current e-world. The difference is in how they handle it. Kudos to you WooThemes. You have handled this like a true professional and it reinforces the confidence I have in you and your products. Thank you for the detailed updates, and for looking out for the consumer. I know that I truly appreciate it, and am sure many others do as well.

    • Lauren L Perfors
      May 14, 2014 at 4:46 pm #

      I agree! the comments that come down harshly on WooThemes for the breach in response to their blog post accomplish nothing. Perhaps those impacted feel a bit better after they had the opportunity to lash out online. However, while I will not begin to pretend to understand the technical details of the breach, plenty of large companies have been impacted by similar hackers.

      Commenting so harshly on the company who dutifully notifies it’s customers right away (where we have seen much larger companies attempt to hide similar news from the public) putting their own reputation at risk, is like punishing the company for doing its best to take care of its customers.

      • Ryan
        May 15, 2014 at 5:32 pm #

        Thanks for providing your support and perspective on the situation. We’re sincerely trying to take care of every one of our customers.

  8. Julius
    May 14, 2014 at 4:40 pm #

    Over $1,500 lost because of this! Could have been more if my debit card had not been frozen by my bank. Definitely not buying anything from Woo again.

    At least I know what happened now. I

  9. blaubaer
    May 14, 2014 at 4:41 pm #

    Our credit card was closed by the provider Pluscard, as they recognized few transactions around the world with low transactions between $10 and $150. Nicely it was only a prepaid credit card with a very small plus on it, so nothing wrong was going on at last. Thanks Wooguys as we know how it came to this transactions and best of all, you moved over to Paypal as we pay with them for a long time.

  10. Lisha
    May 14, 2014 at 4:41 pm #

    Got a call early last week about someone using my credit card to buy over $200 worth of clothes. I’m normally very careful about where and how I use my card so it confused me until I read this. Now it makes sense. Thanks for letting us know.

  11. nbtechnologies
    May 14, 2014 at 4:41 pm #

    I had two cards compromised as well. They both had to be cancelled and reissued. I’m glad to find out where the breach was, but still wish it hadn’t happened in the first place.

  12. Kenneth
    May 14, 2014 at 4:42 pm #

    Thanks for being so open about this. Someone attempted to defraud my credit card on May 4th/5th but my bank were suspicious and stopped my card. That card has now been cancelled and a replacement issued.

    Could you clarify if this is a vulnerability in the Woocommerce system itself?

    • Ryan
      May 15, 2014 at 5:37 pm #

      No evidence thus far shows any signs of it being a vulnerability of WooCommerce. I’m so sorry to hear you were targeted, but am glad your bank is on top of the situation with your card.

  13. Michelle
    May 14, 2014 at 4:42 pm #

    I had some strange activity on my cc. Luckily my bank shut the card down. At least now I know where it was from. Thank you though for taking action and owning it. If rather now the deal and what your doing to fix it then like some other companies that shy away from something like this. I know I’ll still be a woo customer.

  14. Kim Christensen
    May 14, 2014 at 4:43 pm #

    I got my card locked last week after “unknown” persons had made Western Union wire transfers for almost 4000 Euro.. around 30.000 dkr. So now I’m struggeling with my back to get thoes money back.

    It’s good to know where my credit card details was stolen from. I have always been carefull with where I would use it with my small company. It was quite a chunk of money I have lost at the momemt, and maybe forever 🙁

    I have just received a new credit card, and for now I only use it on paypal etc. with extremly high security.. Especially if the money is lost..

    But sad with all this hacking 🙁

  15. Robbert
    May 14, 2014 at 4:43 pm #

    I’m not happy, my card was stolen as well and used… Have to see to get money back, which will probably work. Having seen several discussions online I expect that much more than 20 customers musts have reported the problem meanwhile.
    And then having a discount coupon for my next purchase – which we should almost make immediately.
    On top of all I already suggested to offer PayPal as a payment service 2 years ago to you. I really hate using credit cards online. This whole story reminds me why.
    Of course I understand the also you guys are really not happy with what happened. But for all customers that became a victim of this theft I think you can come up with something better than a short-term discount…

  16. Aryeh
    May 14, 2014 at 4:43 pm #

    My account looks to not be affected. If anyone is in the US I recommend

    Transparency is the key to this one. Thank you and we support you.

  17. marion2318
    May 14, 2014 at 4:44 pm #

    I had two charges on my card as well for rail tickets and airline tickets in China and France on May 7th. Cancelled the card, getting one reissued. At least I know what happened now. Thanks for letting us know.

  18. Patrick
    May 14, 2014 at 4:44 pm #

    My credit cart got canceled while i was on vacation is the states 😛 And that was my only payment method. But we were able to work something out with my credit card company.

    • Ryan
      May 15, 2014 at 5:35 pm #

      Horrible timing, I’m extremely sorry this happened to you while on vacation. No one wants to deal with fraud while they are out enjoying their time off. I’m glad your credit card company has helped out here. Hope the rest of your time is worry free!

  19. Scott
    May 14, 2014 at 4:44 pm #

    Yeah… I’m pretty frustrated since I had two PayPal business debit cards hacked, both of which zeroed my PayPal accounts and therefore pulled from my backup accounts. Transactions in the Netherlands, Quatar, etc. My bookkeeping this month-end is going to be a nightmare and I’m not sure I’ll have cash on hand to pay my contractors tomorrow.

    I’ve spent hours on the phone with PayPal. At least to their credit, they are awesome, flagging transactions while still in “pending” mode and then crediting them back to me when the process (even though that can take 48 hours).

    I have learned from this. I currently use PayPal to process payments on my store and had in the back of my mind perhaps moving that onsite at some point. Now I never will.

    I don’t blame you guys. I blame “them.” And I hate them.


    • Ryan
      May 15, 2014 at 5:34 pm #

      I’m so sorry to hear this has affected you and your situation in this way, disheartening to see that. I hope PayPal helps clear any fraud charges for you ASAP. Thanks for letting us know, Scott.

  20. loewenberg
    May 14, 2014 at 4:46 pm #

    I was also hit… $939 purchased at Dell. My bank detected it as fraud and closed my credit card account.

    • Ryan
      May 15, 2014 at 5:32 pm #

      If you’ve not yet, please do contact us using that link at the bottom of the post. Thank you!

  21. Magnus Jepson
    May 14, 2014 at 4:58 pm #

    We’re closing comments on this thread.

    As open and transparent as we want to be we need to ensure these tickets are submitted in the correct place for our analysis.

    Please don’t hesitate to contact us via our contact page.