This entry was posted in General Security, WordPress Security on December 9, 2015 by Mark Maunder 34 Replies

Update 1 (3:10pm CST on Dec 10th): WPEngine is working with federal law enforcement as part of their investigation into the breach. They are also working with a ‘leading cyber security firm’, presumably someone who specializes in incident response and forensics. They haven’t provided any further details about the incident yet.

Original post:

About an hour ago WordPress hosting company WPEngine sent out an email to their customers asking them to change their passwords.

The passwords they want you to change are the user portal, sFTP, your WordPress database password, your original wp-admin WordPress account and any password protected installs and transferable installs.

We have reached out to WPEngine and received this response from Eric Jones:

As we indicated in our notification to customers at WP Engine, the security of our members’ personal information is a top priority. In response to an exposure involving some of our customers’ credentials, we are taking proactive steps to mitigate the issue. While we have no evidence that the information was used inappropriately, out of an abundance of caution, we have initiated an investigation and notified customers that we are invalidating five passwords associated with their WP Engine account. Customers were provided with specific instructions on how to reset each of them. Again, we are committed to the protection of our customers’ personal information. As we learn more from our ongoing investigation, we will provide updates to our customers if we learn of information that affects them. Additional information and any future updates about this event are available at http://wpengine.com/infosec

A snapshot of the email sent about an hour ago is below:

We will update this post as we learn more.

~Mark.