The True Cost of a Breach
iThemes, a WordPress security provider, was breached - 60,000 clients in their membership database had a slew of information stolen, including usernames, passwords, IP addresses and more. What is of particular concern is the fact that the company was storing their members’ passwords in plain text, which they admitted was in error in a blog post.
The company provides a number of security services for WordPress (WP) users, including a backup plugin that backs up, restores and moves WP sites. Their Sync tool lets you manage all of your different WP sites from one dashboard. They also offer a general security plugin that defends against brute-force attacks, sets passwords policies, allows you to set up two-factor authentication, malware scanning and more.
And yet, they were still storing passwords in plain text. After reading the replies from their customers on their security update blog, I realized that a password reset is not as simple as it seems when it comes to customers with more complex setups and password managers.
###The 'True Cost' of Skimping on Security One commenter named Corey remarked on how iThemes’ decision to store passwords in plain text affected each of his clients’ businesses as well. The time and resources he spent fixing his clients’ WP security solutions showed “the true cost” of using their solutions.
This is a sentiment seen by third-party vendors that may provide Point of Sale (POS) software for major retail clients, like Target or Home Depot, that, in turn, are suffering from the cost of their customer loyalty and sales. But it’s particularly concerning if your client has many other clients, spreading the effects of a breach like a web.
Another concern a commenter had was the required manual effort and time spent changing passwords on every site they licensed on iThemes’ backup plugin. And yet another spent two hours updating passwords manually as their backups were failing.
Not only is it time-consuming to change passwords manually across several sites, all of the clients would have to change them again, as they’re still stored in plain text while iThemes works on the fix, including salting and hashing.
Additionally, iThemes sent a password reset email to all of their clients, containing a hyperlinked (hidden) link that they urged customers to click on to change their passwords, a prime example of what not to do after a breach. Phishing emails that often target users after a breach tend to look very similar, and arose suspicion and confusion in affected customers, as more than one commenter mentioned.
Another commenter, Pat Walsh, acknowledged that breaches can happen to anyone:
Let’s face it, if Apple/iCloud can be hacked, then every site probably has vulnerabilities that need to be addressed. Seems like two-factor authentication is the only way to ensure secure logins.
###Turning to Two-Factor After a Breach Often, companies that fail to implement proper security measures are forced to by a data breach. iThemes stated they were working on salting and hashing passwords in their membership database system at the moment, as well as closely monitoring their servers, but no mention of two-factor authentication.
A number of breaches in the past year have prompted companies to immediately implement two-factor authentication after the fact - just take Bitly, for example, that immediately enabled two-factor authentication for all Bitly accounts on their source code repository after they discovered the credentials of an employee had been exploited to breach their systems.
They also outlined an entire incident response plan that included encrypting credentials, offsite storage, enabling detailed logging, changing SSL certificates and enforcing the use of two-factor for all of their third-party vendors (read more in Turning to Two-Factor After Password Exploits).
As a larger company with more resources to spend on security, it’s not surprising that they can quickly roll out new technology or even know what kind of technology to adopt in the event of a breach. But for smaller or mid-sized companies, starting with an easy and effective security solution like two factor is the first step in the right direction. To learn more about evaluating different two-factor solutions, read our Two-Factor Evaluation Guide.