This is a follow-up post to our last post Important information for all WooThemes Customers
This last week has been our biggest tests to date. The whole team has been working day and night to get as much information as possible from our security breach. We’ve been in direct contact with customers who have been affected, and we can’t thank you enough for being so positive and supportive, even though some of you have had to cancel your credit cards and file claims with your financial institutions.
Investigations are still ongoing with many parties involved. However, we believe in being as transparent as possible, and we want to update you all on what we do know so far, and what steps we have taken to make sure this never happens again.
What We Know
- Customers who purchased after November 27th 2013 up until May 8th 2014, are suspected to be affected by this breach (we have contacted all potentially affected customers via email).
- We believe these sophisticated criminal hackers had intercepted some credit card details between checkout and our off site credit card processor.
- The intruders are believed to have started using the credit cards around May 1st, and we received the first report on May 3rd.
- On May 7th we had received 20 reports, and we involved our payment gateway and WPEngine (who involved security consultants) to investigate.
- We took our payment gateway offline on May 8th.
- We emailed 230,000 customers on May 9th and went public on our blog about the breach.
- WPEngine and their security consultants are still unsure as to the point of entry or how the information was leaked. This remains an ongoing investigation.
- There is no evidence that shows any signs of WooCommerce code vulnerabilities. If our further investigation show any insecurities in our products, we will of course take immediate steps.
What We Have Done
We want to make sure that this never happens again. Here are the steps we’ve taken so far:
- Full security audit of our servers by WPEngine.
- We have reset all passwords as a precaution. We strongly recommend using 1Password to create and store a strong, unique password for your account. Click here for an exclusive discount on 1Password.
- We have moved our payment off-site, using PayPal Express, for the most secure checkout experience.
- We have moved parts of our website off-site, and will continue to do so (product changelogs and downloads).
- We have updated our SSL certificate as a precaution.
- We have installed Duo Security (two-factor authentication) for all admin accounts.
- We are hiring a security/sysadmin to make sure we don’t rely solely on others with such vital cogs of our business going forward.
- We will continue to conduct security audits of WooCommerce (like we have done in the past) and continue to do so on every major release.
We wholeheartedly apologise for this inconvenience. It frustrates us immensely that these criminals have not only attacked us, but our customers and our community. We will strive to ensure this will never happen to us again.
If you have any further questions, do not hesitate to contact us.