TechCrunch is the latest victim in OurMine’s summer hacking rampage. The site, which is powered by WordPress and hosted via WordPress.com VIP, was hacked this morning and defaced with a message from the attackers who identify themselves as an “elite hacker group.”
TechCrunch’s news ticker was updated to display: “Hello guys it’s OurMine Team, we are just testing TechCrunch Security, don’t worry we never change your passwords. Please contact us.” OurMine gained access to a contributor account and posted a similar message.
According to a report from Engadget, TechCrunch’s sister site, the hackers gained access via a contributor’s weak password, not by exploiting a vulnerability in WordPress or the site’s plugins. TechCrunch was able to regain control of the site within minutes and delete the content created by the attackers in the admin.
OurMine is the same group that hacked Mark Zuckerberg’s Twitter, Pinterest, and LinkedIn accounts after he used the same password for multiple sites. Bad password security can make even the most secure websites vulnerable to these types of attacks. Although OurMine is primarily targeting high profile individuals and publications, WordPress sites are constantly the target of brute force attacks.
Security plugins like Wordfence, iThemes Security, and Jetpack’s Brute Protect module can help deter brute force attacks, but it’s virtually impossible to eliminate the human factor in poor password selection or the practice of using the same password for multiple online services. WordPress site owners, especially those who run publications that have many users with permissions, are especially vulnerable to attacks that target bad password security.
Although WordPress warns users about weak passwords, it doesn’t force them to create a strong one. Site owners who want to make this a requirement can use a plugin like Force Strong Passwords for extra security.