WooThemes is investigating alleged website vulnerabilities

woothemes-on-blackSome WooThemes customers are alleging that their credit cards suffered from fraudulent charges after purchasing items from WooThemes’ website.

The point of vulnerability is unknown at this time. The number of affected customers is unknown.

The following is what we know:

Just after 3:00 p.m. central time Wednesday, May 7th, WooThemes publicly tweeted struggles with their payment gateway :

By 6:30 a.m. central time on the 8th, they announced that their checkout was “working again” and that they’d moved payment processing to Paypal:

I’ve confirmed via WooThemes checkout process that they are still providing only Paypal for payment options.

I learned that the gateway issues may be related to stolen credit card data from a Hacker News thread.

Hacker News user GiantTitan, called Thomas via the WooThemes dialogue in the posting, and who appears to have created the account for this submission, tells how he was hacked shortly after his purchase from WooThemes.

Here’s the entire posting:

WooThemes.com — 3 days ago there was a leak of credit card data, and they didn’t tell anyone. I’ve had over 10k in charges on the two cards I have on file with them. They haven’t told their customers to warn them. This news needs to be made public so people can protect themselves and I just want to prevent this from happening to anyone else.
Here was my correspondence with support.

Thomas * May 08 18:54 Two credit cards that I have used on your system has ended up with credit card fraud. One card was only used on this website. It was a brand new card. I have read online that your checkout is not secure. You have cost my business thousands of dollars and time I can never recover. I will be reporting your company to the credit companies for further investigation.

Hi Thomas, I’m very sorry to hear that your card has been used fraudulently! We have had a few reports today of similar issues from other customers. You should contact your CC company and cancel the cards and report the fraudulent transactions if you haven’t already done so. The common practice is that they will not charge you for the fraudulent transactions, and issue you a new card. We take this very seriously and we are investigating this with our hosting provider and security experts, along with our current payment gateway. We will let you know once we have more information on this issue. Sorry for the inconvenience! Regards, Magnus Jepson Co-Founder

The scammers who used my credit card information decided to book hotel rooms in Paris under their real names and use their personal email addresses. The hotel was nice enough to disclosed the booking information to me. facebook/ajibola.moshood.10 facebook/ademosu.akintundemoses

Separately, Twitter user Edwin Toh messaged WooThemes that he too had been compromised after using his credit card on WooThemes’ website:

Response to allegations from WooThemes

As soon as I learned of these reports, I reached out to Mark Forrester and Magnus Jepson by email, co-founders of WooThemes.

Magnus quickly replied, noting that he had just woken up to the Hacker News thread. I contacted him around 6:30 am in his timezone (Norway).

He said that they learned, “from a handful of customers this week that their CC details had been used fraudulently.” He further stated that they immediately began an investigation.

That investigation is ongoing at this time. WooThemes is working with their payment provider, Inspire Commerce, their host, WP Engine, and a security partner, Sucuri, to ensure that they have taken every possible measure to prevent further and future attacks.

WooThemes is also working with additional authorities and advisors, and will disclose appropriate action for their customers to take once they fully “assess the situation first.”

WooThemes has just published the following update:

It must be made clear that we do not store any credit card details on our site, nor does WooCommerce, which makes this investigation that much more difficult to pin point.

Steps we’ve taken:

  • We contacted Sucuri who have conducted a code & security audit
  • We requested a full review by our host and payment gateway
  • We updated our SSL certificate

Sucuri discovered 3 modified files on our server pointing towards an attack. It can not be said this is the reason for any leaked credit card information, and investigations continue.

What should WooThemes customers do?

I am a WooThemes customer. If you are a WooThemes customer, you should do what I’m doing: wait.

I’m waiting until WooThemes has the full results of their investigation before I take any action with my account. Panicking right now will not help. I have confidence in WooThemes and believe they will properly and fully disclose any information that affects your account as soon as they can confidently do so.

If you’ve purchased a product in the last week or so, do check your credit cards for fraudulent activity. If you discover any, email WooThemes support. Otherwise, simply wait for further direction from WooThemes.

Similar Posts


  1. I read their updates too..
    if woothemes got hacked,, is it possible woocommerce also get hacked?
    my online shop using woocommerce,, i don’t want my customer get hacked after purchase some product in my olshop.

  2. I’m a woo themes customer from Poland and I got like 40 transactions for 10usd yesterday. after the account was drained (I only had like 350usd on it) bank blocked the card… I’m going to the police and the bank but I do not have a high hopes…

  3. To those who were victims (of this specific case and others):

    All major credit card companies (Visa, MasterCard, AMEX etc.) protect consumers against this sort of thing. You simply have to contact your bank and tell them you didn’t authorise the transaction. They will contact the party where the fraudulent purchase was made and ask for proof that it was the legitimate cardholder who made the purchases. The burden always lies on the seller (the one who authorised the fraudulent transaction), not on the card-holder.

    This does, however, depend on your bank (and the credit card association); and it is a lengthy process to get the paperwork filled in, but there are checks in place to protect the consumer.

  4. I think this goes further back than a week. I bought stuff in january and also had fraudulent activity on my credit cards.

  5. This doesn’t just apply to customer’s who’ve bought stuff in the last week or so. Me and a friend of mine who’s also a web developer and WooThemes customer noticed on Wednesday (7th) that we’d both had suspicious transactions blocked by our bank, and cards cancelled. The circumstances (timing, nature of fraud) were too common to be coincidence, so we put our heads together, compared suppliers and transactions, and came up with WooThemes as one of two possible common links.

    Our last WooThemes purchases were in January and February, and we subsequently found a third person who had been hit who had last purchased in February.

    See our Tweets from Wednesday to show we were onto this back then:

    – Woo, or Inspire Commerce (their payment provider) DO actually store card details somewhere; or
    – someone’s been intercepting/siphoning off card details for at least a few months!

  6. We are busy analysing all reported fraudulent transactions to discover a pattern. Almost all fraudulent transactions have occurred in the last 5 days it seems, with us getting more responses from customers after sending our news blast.

    Whilst the fraud has happened in that period, the actual transactions on WooThemes do (in a small number of cases) go back to the beginning of the year. This doesn’t add up and further audits are being conducted.

    We do not store credit card details so we believe this information was potentially intercepted in the checkout process.

  7. Hi, I bought on “Woothemes.com” the plugin “Catalog Visibility Option” on January, 27 th, payed with my credit card (Mastercard).
    Last sunday my credit card was used for pay a service bought on “Lastminute.com”, BUT NOT BY ME!!
    I quickly blocked the credit card and the iter to have my money back is running with the bank, but what Wootheme write me via e-mail today let me think that something happened with my cc trough my purchase on “Woothemes”, because in other transaction I made in past, I always had to insert OTP generated by a physical device in my only availability.
    Ivan – Brescia (ITALY)

  8. I made a purchase on 04/02/14 at WooThemes with My Business Visa Card, three days ago I was alerted of a fraudulent charge of nearly $4500, not sure if it is related, but they tried to make purchase at Fry’s electronic store. I have been issues and waiting a new card.

    On 1/27 I made a purchase at WooThemes with my Business Debt card, I have not see fraudulent behavior on that card.

    I emailed Woo and heard back from Magnus but thought I would post here as well.

    1. OK, I am updating here. My business debit card has been compromised this AM. So anyone reading this here, the last time I used that card at Woo was on 1/27/14 so whoever had been doing this for several months.

      Now I am borderline pissed because now I dont have access to both my business credit or debit cards as they both have been canceled/reissued. Kind of a pain in the ass and I have to go through every account I used these card with and update this information.

      On the same page as Scary, no real apologize from Woo or even an offer for a discount, nothing.

  9. Same here. last transaction I made with woothemes was mid-march. Fraudulent activity has been going on for only the last few days. I assume the vulnerability was exploited quite a while ago and data has been collected over a long period. Then recently the big credit card / customer information repo has been sold on the black market (only an assumption).

    Fraudulent payments on my business card were made to UK shopping sites rather than from random countries round the world (i’m from the UK).

    Then again, it could just be a coincidence… ¯\_(ツ)_/¯

  10. I have purchased from Woothemes couple of times this year. last time it was a month ago. Now, last Sunday two of my credit cards i have used on Woothemes were compromised. With one of them someone tried to purchase 690 eur worth of merchandise from notebook.de and they succeeded. Second one was used to buy 3500 eur worth of merchandise but bank already was alarmed and they blocked it. Luckily my bank was quickly on it and they warned me about it.

    Also, i was lucky to get my money back. Nevertheless, i had to close two of my credit cards and had nearly a hard attack…

  11. I had the same experience as Nathan.

    I saw pending transactions (that I wasn’t expecting) on my business account whilst at the ATM and then by coincidence saw a news item on Hacker News. I had made some purchases on Woothemes back in early April.

    After contacting my bank, they confirmed purchases pending from / at Frys and when I confirmed that those were not initiated by me they took over and so far the transactions are still pending but I too have to get a new bank card.

    I have just emailed Woothemes to confirm that I was affected so they have that for their records.

  12. I emailed them in response to the news that I too had a fraudulent purchase scare – I got lucky and the transaction failed (they tried to buy plane tickets) but oddly Woo asked me for NO information (when did I purchase, with what email account, etc., anything that may help them understand how far it goes back, etc.). When my card got skimmed last year AT my own bank’s ATM they wanted every detail. Yes cards are protected but this is a huge inconvenience, not to mention a real scare. You’d think something more than “sorry” like hey here’s a coupon have some free plugins, would be forthcoming. P.S. I have had a tremendous amount of phone calls for loan apps using my cell # (apparently from a website that ferrets them out to loan companies on the web) – I have yet to understand how one secures a loan if they’re using my cell # I am in possession of so I’m assuming it’s unrelated and someone used my number in err or someone’s pissed at me (well played if that’s the case!).

  13. I got a email from them about the credit card hack but it was to late and I had to go through the process of cutting up my new PayPal debit card and contact my bank on the 20 transactions that depleted my checking account paypal drew from. I had $150 of service charges my bank forgave being it was fraud. The point is it was a mess and time consuming. The steps Woothemes took was to upgrade security (should have done that beforehand) and quote: offer a coupon code which gives you 50% discount (valid until 31 May 2014), should you want to continue to use our products. I ask why a deadline on the coupon? To hurry and buy something more from us. Looks like they want a hand out for some quick sales. Give the D.. thing to those who were hurt in this matter no deadline or strings attached.

  14. As I wrote in 9th, may I was between people hit from credit card hack while purchasing on WooThemes site.

    The fact costs me a lot of time to be resolved, go to bank agency, to the police office to denunce it, ask bank to re-emit a new credit card (= spent again ).

    Now you offer us a DISCOUNT, that means that you are going to do more NEW business with us starting from this situation !!

    I find this commercial try very unpleasant by you; ask to give you MORE money (the rest 50%) ….

    I think it’s better to give us a completly free coupon…. or don’t mention nothing, it will be better for WooThemes reputation!

  15. If you use a credit card number on the internet, there is a very good chance it will be compromised. My card number has been ‘hacked’ 12 times in 10 years. I call and have them removed. Takes 30 minutes.

    Why is everyone making a big deal about it?

Comments are closed.