Hackers last month gained unauthorized access to a server of software development company EllisLab may have gotten their hands on personal information belonging to EllisLab.com members, the company CEO Derek Jones said in a Friday blog post.
After using stolen Super Admin login information to access a server, the perpetrator uploaded a PHP backdoor script (WSO Web Shell variant) that allowed other attackers to also gain access without authentication. The attack was spotted by Nexcess, the company’s web hosting provider, which prevents backdoor software from gaining root access to the server.
Jones said it was unlikely that its database was stolen in the three-hour incident on March 24, but that usernames, passwords, email addresses and partial credit card numbers may have been compromised. The company has asked users to change the passwords for their EllisLab.com accounts as well as for any other services that share the same password.
“Three hours may sound like a long time, and it’s long enough,” the CEO wrote, giving Nexcess the nod for moving quickly. “But it’s short in comparison to many breaches which last days or even months before detection.”
While Jones said tracing the data revealed the attack was multi-national, he said because Tor servers were used to disguise the route of the attacks, “the source and number of assailants is unknown.”
Jones said attackers did not exploit the company’s ExpressionEngine.