The blog post is rather lackluster in details. There's no word on severity or the password hashing algos used. Anybody have any updates regarding these?
You think they would notify customers. I have a site hosted with them and not a peep, just an invalid password notification when I try to log in.
Edit: just saying, I think it's strange that I'm finding out about it via HN first.
Posted update with new information:
"Our investigation is still actively in progress. We share your frustration that we cannot provide answers to many of your questions. However, because this is an active, on-going investigation, including federal law enforcement, we are limited in what we can share at this time."
I haven't used WPE in a while, but which of these passwords are generated by them, and which are entered by me? It sounds like the "User Panel" would be my personal account password. Is this being stored in plain text in their database?
Just got this from support, in regard to password invalidation:
"We are still in the process of invalidating the passwords in phases. This process will be running throughout the day, and your passwords will be invalidated."
I have asked WP Engine many times to add two factor authentication; I hope they will learn a lesson from it.
Well, as of now I can't use port 22 and also phpMyadmin. There is no official update on that.
I will just add it here: It happens all the time.
Unfortunately, most hosting companies don't go public and warn their users. They try to hide and hope nobody else finds out.
Glad to see them going public, warning their users and doing the right thing.