Cyber Incident Victim: EllisLab
Date:
Mar 2015
Location:
United States of America
Summary
A cybersecurity breach at EllisLab occurred when attackers used a stolen Super Admin password to gain unauthorized server access, deploying a PHP backdoor script that enabled unauthenticated entry for multiple perpetrators. The intrusion, detected by the company’s hosting provider, lasted three hours and potentially exposed customer data including usernames, email addresses, hashed passwords, partial payment details, and support ticket information submitted during a one-month window. While forensic analysis suggested no database theft, the company assumed full compromise and urged users to reset passwords, particularly if credentials were shared in support tickets. Post-incident audits led to security enhancements in ExpressionEngine CMS, prompting users to update to the latest patched version.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 24, 2015, at 10:49 AM PDT, attackers gained unauthorized access to EllisLab's servers by logging into EllisLab.com using a stolen Super Admin password. The perpetrators uploaded a PHP backdoor script identified as a WSO Web Shell variant, enabling persistent unauthorized access without authentication. The breach lasted approximately three hours before being detected by Nexcess, EllisLab's web hosting provider. Following detection, EllisLab initiated forensic analysis of server logs to reconstruct the attackers' activities and identify the intrusion vector. Company personnel conducted file system reviews to locate and remove malicious scripts added during the incident. A concurrent audit of ExpressionEngine software was performed to determine whether vulnerabilities in the CMS facilitated the breach, though investigators confirmed the compromise resulted solely from credential theft rather than software exploitation. Attackers routed their activities through Tor servers, complicating attribution efforts and preventing definitive identification of the threat actors.
EllisLab adopted a precautionary stance regarding data exposure, assuming attackers potentially accessed all stored information despite forensic evidence suggesting database theft was unlikely. Compromised data included usernames, screen names, email addresses, salted and hashed passwords, and member profile data. Billing information encompassing names, addresses, and the last four digits of credit cards used for software purchases was also exposed, along with support ticket details submitted between February 24 and March 24, 2015. The company notified users to change passwords, particularly those with weak or common credentials, and advised customers who submitted support tickets during the exposure window to modify relevant credentials if they had included plaintext passwords in ticket communications. As part of post-incident remediation, EllisLab implemented additional security enhancements to ExpressionEngine and released version 2.10.1, urging users to update their installations. No evidence indicated exploitation of ExpressionEngine itself, with the breach confined to unauthorized server access via compromised administrative credentials.