WP Engine breached, forces users to change their passwords

Popular WordPress-specific hosting provider WP Engine has apparently suffered a data breach, and is forcing their customers to change their passwords.

“We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials,” the company announced on Wednesday evening, on the company website and via email sent to potentially affected customers. “Out of an abundance of caution, we are proactively taking security measures across our entire customer base.”

These measures include the invalidation of five passwords associated with the customers’ WP Engine account: the password for their user portal, the SFTP password, the one for their WP-Admin account, the one that protects their installs and transferable installs (if the customers have enabled password protection), and the password WordPress uses to communicate to the database.

All but the last one have to be reset by the users themselves, and the company made sure to include instructions on how to do it in the notice.

Not much details about the intrusion have been shared, as the investigation is still ongoing, and includes federal law enforcement. It’s known that the exposure was noticed on Wednesday, December 9, and so far, there is no evidence that the compromised information was misused.

The company has also called in a cyber security firm to help them investigate.