WPML, a module that allows running fully multilingual websites with WordPress, making it easy to translate WordPress pages, posts, tags, categories and themes was recently hacked by an unhappy employee. According to this page: https://wpml.org/home/about-us/, WPML is running on more than 600 000 websites. There are almost 1 million compomised accounts on the WPML website.

WPML-Multilingual-WordPress-Plugin

Below you can see a message that was sent to all WPML clients in 20 January 2019.

Hi client,

We’re very sorry to report that our website got hacked. The evidence that we have points to an ex-employee who planted a backdoor before leaving the company.

That attacker did the following:

Copied the names and emails of our clients
Sent a mass email on our behalf
Defaced our purchase page and added a fake blog post

We’re very sorry that we allowed this to happen. We’ll take a lot more precaution when others leave the company in the future. Of course, some of our employees have access to sensitive material and we trust them to use it wisely.

Is there an exploit in WPML plugin?

The attacker did not modify the code in WPML plugins. We double checked right now and we can confirm that the ZIP files that you are downloading from us were not tampered with.

Was payment information compromised?

No. We don’t store payment information on our server. We use PayPal and Stripe for payment processing and they store the payment details. When you buy from us, we don’t ever see your credit card number.

Is my WPML account compromised?

Possibly. The attacker gained access to all client names and emails and may be able to login to your account. This will allow the attacker to pose as you on wpml.org.

Please log-in and change your password.

What’s WPML team doing about this hack?

We’re rebuilding the server from scratch, resetting all passwords and locking down everything. Since the intruder had access to the server, we can’t tell what other holes there are, so we’re building the site from scratch. This will take us until tomorrow morning.

We’ll write again once our site is secured again. Again, we’re very sorry for having lost your name and email to this intruder. Besides fixing the site, we’ll also take legal action.

– Amir

We recommend that everyone who has accounts on WPML.com should change urgently his / her password. At this moment the wordpress wpml plugins are not affected by this hack, but your account data from WPML is compromised. If you are using the same password on other websites we recommend to set a different password there too. Make sure to update all your WordPress plugins in order to prevent upcoming plugin hacks.