Important Security Notice: Change Your MainWP.com Password

dennis · April 24, 2024, 4:37pm

This announcement is to inform you about a security incident involving the exposure of some user credentials on the dark web.

Please rest assured that this does not affect your self-hosted MainWP Dashboard installations. The exposed credentials are only related to MainWP.com accounts. We have also received no evidence that MainWP.com was directly targeted.

We want to reiterate that this incident did not involve any access to your self-hosted MainWP Dashboard installations. Your Dashboard credentials and data were not impacted.

The tl;dr: Out of extreme caution and to enhance account security after finding some user information on the dark web, all MainWP.com users will be required to reset their passwords through the lost password process.

This process invalidates any exposed old passwords and allows the creation of new, strong credentials. Additionally, two-factor authentication is being made mandatory to provide an extra layer of protection.

This does NOT mean you are affected; however, if you are or were using generic or repeated passwords across multiple sites, there is a good chance you have been caught in the MOAB breach explained below. If you have done that in the past, resetting ALL your passwords, not just MainWP.com, is a good idea.

What Happened?

As part of our ongoing security monitoring efforts, an ethical hacker on HackerOne, a cybersecurity platform that connects us with security researchers to identify vulnerabilities, alerted us that a subset of MainWP.com user logins and passwords had been found circulating on the dark web.

After a thorough internal investigation and discussions with our hosting provider, we determined that this exposure is likely related to the MOAB data breach and NOT a direct attack on MainWP.com.

About the MOAB Data Breach

The MOAB (Mother of All Breaches) was a massive data leak discovered in January 2024. It contained over 26 billion records from thousands of previous data breaches across 3,876 different domains. The 12-terabyte dataset included user data from major platforms like LinkedIn, Twitter, Weibo, Tencent, and others. While some data was from previously reported breaches, the MOAB also contained billions of new records that had not been exposed before. The sheer scale of this compilation made the MOAB one of the most significant data breaches ever discovered.

You can read more about MOAB here: https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

What Information Was Found

The exposed information includes MainWP.com user logins and passwords.

If your username and password were exposed AND an attacker was to log in with those credentials, the information would be limited to:

Your support tickets
The URLs of your connected MainWP Dashboards
Your extension installation history

We want to reiterate that this incident did not involve any breach of your self-hosted MainWP Dashboard installations.

Actions We Are Taking

To ensure no user accounts remain vulnerable because of this credential exposure, we are requiring all MainWP.com users to reset their passwords using the lost password functionality.

Your password has already been changed on our end. This will invalidate any exposed old passwords and allow you to create a new, strong password for your account.

To further strengthen account protection, we are now requiring everyone to use Two-factor authentication when accessing MainWP.com.

Actions You Should Take

While your MainWP Dashboard installations remain secure, we strongly recommend that you take the following actions immediately for your MainWP.com account as a precautionary measure:

Go to the MainWP Password reset Page
Change your Password to a strong, unique one
With your new password log into your account
From the left sidebar Click on 2FA Settings
Follow the directions here: Enable two-factor authentication for added account security.

To further strengthen account protection, we are now requiring everyone to use Two-factor authentication when accessing MainWP.com.

If you are or were using generic or repeated passwords across multiple sites, there is a good chance you were caught in the MOAB breach explained above. If you have done that in the past, it is a good idea to reset ALL your passwords, not just MainWP.com.

Our Commitment to Security

We take the security of our products and services extremely seriously. We are continuously working to enhance our security measures and monitoring systems to protect our users’ data and prevent such incidents from occurring.

We will continue to investigate this matter thoroughly and take all necessary steps to safeguard your information.

If you have any further questions or concerns, please do not hesitate to contact our support team.

Thank you for your understanding and continued trust in MainWP.

josklever · April 24, 2024, 6:29pm

Thanks for the heads up!

My password for mainwp.com was still working and although it was a strong and unique one, I’ve changed it anyways. 2FA has been setup as well now.

dennis · April 24, 2024, 6:30pm

Thanks; that should be resolved. The system had a hiccup, and it took a few minutes longer to complete the change than we thought.

eSIlverStrike · April 24, 2024, 7:31pm

Still waiting for the email for the password reset. Did one at 2:48 (so 42 mins ago) and just did another 1 maybe 10 mins ago.

bojan · April 24, 2024, 7:42pm

Hey @eSIlverStrike

Can you please try again?

I believe we’ve had too many password requests in a short period of time.

peter-fb · April 25, 2024, 1:39pm

Hi Dennis,

Thank you for the email and the extreme caution that you take.

What I didn’t like about the email was that it didn’t came from a mainwp.com domain but from a mainwpcs.com domain address and it included links to this latter domain, including a link to change the password!

At first I thought oh boy, some hacker had gotten my email and pretended to be Dennis from mainwp.com in a somewhat alarming email to trick me to somehow give my password to them! It looks like it came from mainwp.com but it’s a similar domain, quite clever!

But it seems to be really coming from you.

May I quote from the M3AAWG Sending Domains Best Common Practices document:

The use of cousin domains is strongly discouraged by M3 AAWG, as it exposes the brand to several security issues as well as running the risk of confusing users, employees, and security tools.

Use of the main domain name of a brand or, more realistically, its subdomains is therefore the recommended approach.

Please consider changing your email domains.

dennis · April 25, 2024, 2:30pm

Hi @peter-fb

We have been using mainwpcs.com for all our customer success-related emails, including support, newsletters, and important account notifications, for about five months now. This helps us keep our main domain’s reputation focused on sales and marketing.

I totally get where you’re coming from regarding the potential confusion and security risks of using a separate domain that looks similar to our main one. The M3AAWG best practices you shared are definitely worth considering.

However, we don’t have any immediate plans to change our email setup. The best way to make sure you keep getting our emails is to add mainwpcs.com to your whitelist or safe senders list. This will help our messages land in your inbox without any trouble.

Thanks again for flagging this issue and sharing your thoughts. We really appreciate your input and support.

eSIlverStrike · April 25, 2024, 3:25pm

Tried this morning and it worked right away. Thanks

peter-fb · April 25, 2024, 4:42pm

Hi Dennis,

Thank you for your thoughtful reply, I appreciate it!

I also wanted to add that setting up the two factor authentication process was very smooth, no problem at all.