Yesterday I have reported about a huge mysterious hack in wordpress servers, that cause compromise of 15000 wordpress account and hacker managed to post same spam article of "Money making sites" with title - "Im getting paid!" on each blog.
We explained how hacker was earning in thousands of dollars by just sharing his Referral link on all these hacked sites. The campaign include some malicious domains where hacker is redirecting all readers and service from a well known email marketing company - Getresponse.
Using the same dork -- site:wordpress.com "Im getting paid!" , today we tried to find out number of hacked accounts and once again another shocking number - its 59300 blogs in compromised list on 2nd day of hacking campaign.
So many blogs have been compromised without any known method and wordpress team still not in action. As mentioned in last article, yesterday I tried to contact with Getresponse response team whose Email service is being used in this campaign.
Today I got reply from Aleksandra Pabian - Privacy and Compliance Consultant at Getresponse that, they have taken this issue seriously and after 'The Hacker News' report they immediately suspend the account from their service. "Thank you very much for all this information.We have terminated the account you have reported. The user doesn't have access to this account anymore." he said. I really appreciate his action to stop this campaign.
Well even the campaign has been stopped for a while. But some questions are still there:
1.) How sudden 60000 wordpress accounts can be compromised ? Is there some vulnerability in wordpress server ?
2.) If wordpress know about the issue and warn the account holders via email, then why more accounts accounts become target and there was no public notice from wordpress team about this issue ?
We will update your as soon as possible, once after listening something from Wordpress Team. While, Subscribe to our Daily Newsletter via email - Be First to know about Security and Hackers. or Join our Huge Hackers Community on Facebook, Google+ and Twitter.
Update - 20/10/2012:
"Im getting paid" is not alone, today we got mail from another 'The Hacker News' reader that same wordpress hacking campaign is going on with another title also, "Nothing like getting paid"
site:wordpress.com "Nothing like getting paid" . But as right now, during writing this update, I can see only 50200 blogs in result. This is because google is removing results side by site and actual number of compromised blogs are much more than these results.
A general idea, "Im getting paid" was showing total 120,000 blogs results in last 3 days and "Nothing like getting paid" was showing around 187,000 blogs in result. So, estimated 300000 Wordpress blogs are compromised in last one week.
According to a statement from wordpress (posted by nakedsecurity) that there was no compromise of the WordPress.com servers, and that rather than vulnerability the most likely cause of the problem was "people sharing the same password across multiple services".
But still, I don't believe that this campaign is because of weak passwords, because 70% of hacked blogs are inactive from last 1-2 years and their account holders are not used to sign-in their wordpress account (that can be phished or trojanized).
But anyway ! whatever the method of hack, now I feel that Wordpress blogs or Wordpress CMS is really not a secure choice.