WooThemes is investigating alleged website vulnerabilities

woothemes-on-blackSome WooThemes customers are alleging that their credit cards suffered from fraudulent charges after purchasing items from WooThemes’ website.

The point of vulnerability is unknown at this time. The number of affected customers is unknown.

The following is what we know:

Just after 3:00 p.m. central time Wednesday, May 7th, WooThemes publicly tweeted struggles with their payment gateway :

By 6:30 a.m. central time on the 8th, they announced that their checkout was “working again” and that they’d moved payment processing to Paypal:

I’ve confirmed via WooThemes checkout process that they are still providing only Paypal for payment options.

I learned that the gateway issues may be related to stolen credit card data from a Hacker News thread.

Hacker News user GiantTitan, called Thomas via the WooThemes dialogue in the posting, and who appears to have created the account for this submission, tells how he was hacked shortly after his purchase from WooThemes.

Here’s the entire posting:

WooThemes.com — 3 days ago there was a leak of credit card data, and they didn’t tell anyone. I’ve had over 10k in charges on the two cards I have on file with them. They haven’t told their customers to warn them. This news needs to be made public so people can protect themselves and I just want to prevent this from happening to anyone else.
Here was my correspondence with support.

Thomas * May 08 18:54 Two credit cards that I have used on your system has ended up with credit card fraud. One card was only used on this website. It was a brand new card. I have read online that your checkout is not secure. You have cost my business thousands of dollars and time I can never recover. I will be reporting your company to the credit companies for further investigation.

Hi Thomas, I’m very sorry to hear that your card has been used fraudulently! We have had a few reports today of similar issues from other customers. You should contact your CC company and cancel the cards and report the fraudulent transactions if you haven’t already done so. The common practice is that they will not charge you for the fraudulent transactions, and issue you a new card. We take this very seriously and we are investigating this with our hosting provider and security experts, along with our current payment gateway. We will let you know once we have more information on this issue. Sorry for the inconvenience! Regards, Magnus Jepson Co-Founder

The scammers who used my credit card information decided to book hotel rooms in Paris under their real names and use their personal email addresses. The hotel was nice enough to disclosed the booking information to me. facebook/ajibola.moshood.10 facebook/ademosu.akintundemoses

Separately, Twitter user Edwin Toh messaged WooThemes that he too had been compromised after using his credit card on WooThemes’ website:

Response to allegations from WooThemes

As soon as I learned of these reports, I reached out to Mark Forrester and Magnus Jepson by email, co-founders of WooThemes.

Magnus quickly replied, noting that he had just woken up to the Hacker News thread. I contacted him around 6:30 am in his timezone (Norway).

He said that they learned, “from a handful of customers this week that their CC details had been used fraudulently.” He further stated that they immediately began an investigation.

That investigation is ongoing at this time. WooThemes is working with their payment provider, Inspire Commerce, their host, WP Engine, and a security partner, Sucuri, to ensure that they have taken every possible measure to prevent further and future attacks.

WooThemes is also working with additional authorities and advisors, and will disclose appropriate action for their customers to take once they fully “assess the situation first.”

WooThemes has just published the following update:

It must be made clear that we do not store any credit card details on our site, nor does WooCommerce, which makes this investigation that much more difficult to pin point.

Steps we’ve taken:

  • We contacted Sucuri who have conducted a code & security audit
  • We requested a full review by our host and payment gateway
  • We updated our SSL certificate

Sucuri discovered 3 modified files on our server pointing towards an attack. It can not be said this is the reason for any leaked credit card information, and investigations continue.

What should WooThemes customers do?

I am a WooThemes customer. If you are a WooThemes customer, you should do what I’m doing: wait.

I’m waiting until WooThemes has the full results of their investigation before I take any action with my account. Panicking right now will not help. I have confidence in WooThemes and believe they will properly and fully disclose any information that affects your account as soon as they can confidently do so.

If you’ve purchased a product in the last week or so, do check your credit cards for fraudulent activity. If you discover any, email WooThemes support. Otherwise, simply wait for further direction from WooThemes.