Skip to content ↓ | Skip to navigation ↓

We all make mistakes. I know that sometimes I have made some real howlers, and lived to regret it, but at least we can try to learn from our past screw-ups, put it down to experience and move on.

It’s the same when it comes to computers. Many of us probably remember the first gut-wrenching time that we realized we hadn’t backed up our data and promised ourselves never to make the same mistake again, or realized that we were playing dangerously by using the same password in multiple places – only to hear on the news that one of the sites had been hacked.

In today’s information age, where information about computer security threats and easy-to-use tools are at our fingertips, there shouldn’t be much excuse for making some of the Security 101 errors that have plagued users and companies in the past.

iThemes Security Pro pluginAnd yet, from time to time, firms find themselves in the position of admitting that they have messed up massively with potentially disastrous consequences for their business and their innocent customers.

What makes it even worse, however, is when the company that has fallen woefully short really should have known better.

One such company which can offer no reasonable excuses is iThemes, the “one-stop shop for WordPress themes, plugins and training.”

Last week, the company issued an important security advisory for all of its customers:

After noticing some suspicious activity on our server earlier today, we discovered a significant attack on our membership database. In an over-abundance of caution, we’re asking all customers to reset their iThemes password immediately.
 
To protect your account from any unauthorized access, we’ve temporarily reset all user passwords. We just sent emails to our entire iThemes customer community asking you to do this as well. To regain access to your account, you’ll need to reset your password now.

So far, so normal—a company’s website gets hacked and potentially user information has been stolen.

iThemes stated that the hackers may have had access to usernames, passwords, email addresses, IP addresses, past purchases and payment receipt information but thankfully, not other payment information or credit card details.

Clearly, we all feel sympathetic to the customers who might be affected, but there’s also some sympathy for the hacked company which has fallen victim to a criminal attack. At this point, you think it’s good that iThemes appears to have acted quickly, sharing information with customers and advising that passwords be reset in what it describes as an “over-abundance of caution.”

But can you be “over-abundant” with caution when it comes to IT security? Well, the answer came a couple of days later in a follow-up blog post from iThemes CEO and founder Cory Miller:

How Does iThemes Store Passwords?
There is no easy way to say this: We were storing your passwords in clear-text. This directly impacted approximately 60,000 of our users, past and current.
It’s important that you immediately update any other account that uses the same username / password combination. This includes WordPress installs, FTP logins, cPanel access, Gmail accounts, Yahoo accounts, Facebook, Twitter, billing accounts, etc.
 
What Does Plain Text Mean?
This means that the passwords were not protected as they should have been. They were not hashed, salted or any combination of techniques. This means if the attacker was able to see / save the passwords they have a new username / password list.

Wow. It’s bad enough that many firms don’t bother to salt and hash passwords on their servers and just encrypt them instead, but it’s petrifying to think that a technology company is actually storing passwords in plaintext in this day and age, despite the constant news headlines of security breaches and hacks.

What makes it even more jaw-dropping is that iThemes actually works in the security field, developing a popular WordPress backup tool (BackupBuddy), as well as iThemes Security Pro, which the firm describes as “the best WordPress security plugin.”

Here, for instance, you can see how its WordPress security plugin advises users to tighten their website security:

iThemes security product

Anyone else get the irony of the iThemes security plugin warning that strong passwords may not be enforced? The sad truth is that it doesn’t matter how strong the passwords are if your website gets hacked and the passwords have been stored in plaintext.

Not only has private information potentially fallen into the hands of hackers, but there has also been damage done to a company’s reputation. As one customer commented:

It’s a shame that a company which produces and maintains a security plugin stores passwords in plain text, there is NO excuse for this. This makes me believe that there are no serious developers in your house which have worked on enterprise level.

Now, it would be very easy to grab a pitchfork and a flaming torch and drive iThemes’s technical team out of town after a massive faux pas like this, but that’s not going to help the firm’s current customers.

The best thing they can do right now is ensure that they were not using the same password anywhere else on the net, consider adopting a password management solution (such as 1Password or LastPass), enable two-factor authentication where available, and keep a close eye on their other online accounts for signs of compromise.

If there is anything good to find in this sorry tale, then it is surely Cory Miller’s candid admission of failure and acceptance of responsibility:

…as the founder and CEO, the leader of this company, I want you to know: the buck stops with me and me alone.
 
At the end of the day, I am responsible for our company, iThemes, and the work we do. I’ve often tried to defer credit for the great work we’ve done to our team, but as for the mistakes we make, that credit belongs solely to me.
 
I started this company to offer solutions to help make people’s lives better.
 
I cannot control the past. The mistakes above were made. But we can control what we learn and how we grow from it in order to be better for you through it.
 
If anything, I am more energized and motivated than ever to make what we’re doing and how we do it better than ever.

I wish iThemes and its boss well. No-one deserves to get hacked, even if you made the mistake of playing fast and loose with your customers’ private information. But my primary concern is for those innocent users who may have been impacted by the hack and placed trust in iThemes to do a decent job with their passwords and other data.

If you run a technology company, make sure that your IT team feels empowered to explore vulnerabilities and—when they are found—give them the freedom to fix them, or you could find your problems are only just beginning.

Hacking Point of Sale
  • meowmeow

    TV Tropes stores passwords in clear text too. NEVER use the same password there you do elsewhere

  • Havenswift Hosting

    Yes, this is a mistake of the highest order by iThemes and the explanation that it was due to legacy software from 2009 that stored passwords this way seems strange as software even from “this long ago” should have been hashed and salted.

    As a customer of iThemes and a massive supporter of their software and ethos this is obviously massively disappointing. However as we all use LastPass to generate and store unique and complex passwords for every single site, there is no real damage done here – for those people that still use the same password across multiple sites, well in a way, this is almost equally your responsibility as well.

    A big plus point as you memtion is the speed and openness shown by Cory – it could have been fudged but that doesnt seem to be his way

  • Sandra

    This company should really have external auditors look at their infrastructure + software. While audits can be a pain they help to avoid such mistakes.

  • Coyote

    "We all make mistakes. I know that sometimes I have made some real howlers, and lived to regret it, but at least we can try to learn from our past screw-ups, put it down to experience and move on."

    Thank you Graham for pointing this out. Too many people fail to understand that perfection is impossible; you can only strive to do as best you can (AND address the mess you make as they come and as best you can). But you absolutely will make mistakes, simple as that. It is best to learn from them rather than complain, feel bad, whatever. What is done is done but don't let it be done in vain. Personally, I tend to make public my mistakes. Why should I not? If I admit it and describe what I learn from it or how it happened (which can only help everyone), then why not? The fact remains it was done and hiding is not really going to change the fact. Hiding it is worse, even, because it is trying to keep your integrity and/or reputation but the thing is, you're making it worse if it is discovered.

    And yes, although it is often (almost always) the fault of the user, administrators, no matter how experienced, are also users and yes they make big blunders (I know I do and did recently but there is after all, no perfection).

    As for the issue… well yes, sadly some companies do indeed use plaintext. But what to do? If you're a customer you cannot do much, most certainly not alone (unless you somehow have some sort of influence over them). I do like the attitude of the CEO, however. That is something to be commended: take responsibility for mistakes and yet at the same time allow everyone who works there, to be commended for their contributions.

    Lastly, yes, it is indeed VERY ironic that they would refer to password strength and yet they have it in plaintext. That actually makes me wonder… especially for the database password…is that too plain-text ? And that's how they know ? Okay, I know that's not completely fair but it amuses me to think about it in those terms. In the end, what matters is they learn the lesson. And yes, those mistakes you refer to are only a small few and I'm not innocent by any means (for backup I've always been fine.. data wise, and having enough knowledge and experience with dealing with file systems and partitioning/etc., I have also salvaged volumes and extracted data off supposedly dead drives… but still, even the most careful person can and will make mistakes and that is all there is to it).

  • Motti

    I can just repeat my call to establish Security Rating Agency much the same as S&P and other financial rating agencies. Obviously the site described will get 0-star rating. Arguably such approach will be more effective than legislation or pundits admonitions.

    • Coyote

      Credit ratings have many flaws. Surely you know this? A rating agency won't change anything, really. And here is the real problem: the things that can be audited are those that are well known and established (yes, this one is, but that's not what I'm getting at, will try to elaborate). Not everything is. Think of when viruses of old started implementing polymorphism, encryption, piggy-backing, etc. None of that was thought of in advance until it was there. The only things that can be seen are those that should be done already. And yes that would be nice if all corporations did that but that is expecting too much (sad as it may be). In the end, mistakes will always happen and even the most careful person will make mistakes. And even those with the more perspective than anyone else, will be bettered by one single person. What used to work isn't guaranteed to always work, too. If humans can make something they can also break that same thing. Put these thoughts together and then you can see how a rating won't really do much. It is a false sense of security, isn't it? Yes, it is, just like business ratings. Just because something is supposedly great does not mean it is (and the reverse is true: just because something is supposedly awful does not mean it is as bad as it might seem). It usually is a blur because all good comes with bad and all bad comes with good.

      Awareness is what it comes down to, in the end. Awareness and always adapting, always changing (much like polymorphism). And even then it won't fix the problem … the problem is impossible to get rid of and that is why you can only strive to be the best you can. Mind you, I agree that legislation is quite useless, too, I'm just pointing out that if you have a rating then some are less likely to worry when there should always be the thought, always be cautious, and never letting your guard down.

  • I can just repeat my call to establish Security Rating Agency much the same as S&P and other financial rating agencies.

  • M.L.

    This company should really have external auditors look at their infrastructure + software. While audits can be a pain they help to avoid such mistakes.

  • Yeah you are right that security issues are really serious. We need to be careful while we are setting the password of our website. it must be unique and able to withstand against the hackers. Thanks