Reuters was using old WordPress version when it was hacked

Reuters was using old WordPress version when it was hacked

Summary: The Reuters News blogging platform was hacked on Friday and a false interview with a Syrian rebel leader was posted. It turns out Reuters was using an outdated version of WordPress, suggesting the hackers got in by exploiting a known security hole.

SHARE:
TOPICS: Security, Outage
4

 

Reuters was hacked via an old version of WordPress

The Reuters blogging platform was hacked on Friday, and a false story about an alleged interview with a Syrian rebel leader was posted. On Sunday, Reuters suffered a second security breach in which hackers gained control of one of its Twitter accounts. While Twitter hasn't commented on the latter, we have more information on the former: Reuters forgot to keep its WordPress installation updated.

Mark Jaquith, one of the WordPress platform lead developers and member of the WordPress Security Team, told the WSJ that Reuters was using "an old version" of the software that has "publicly known security issues." More specifically, the publication was using version 3.1.1. The current version is 3.4.1.

This is a textbook mistake. You should always be using the latest version of your software, especially if you're a major company that is often targeted by hackers. WordPress is, in particular, a popular attack vector for cyber criminals. While there is no guarantee that the hackers exploited an unpatched security hole in WordPress to access Reuters' blogging platform, it's more likely given this new information.

If you're not using the latest version of WordPress, you should upgrade immediately. You can download the new version from wordpress.org/download or from your Dashboard (Updates menu in your site's admin area).

While Reuters confirmed the hack on the weekend, the firm said it does not yet have any information on the party responsible for the fake news. The publication took down its blogging platform on Friday but a quick check shows that blogs.reuters.com is now working as expected. For their sake, I hope the engineers who brought it back made a point to upgrade their WordPress installation.

Correction - Title was changed from "Reuters was hacked via an old version of WordPress" to "Reuters was using old WordPress version when it was hacked."

See also:

Topics: Security, Outage

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Amazing

    WordPress 3.2 was released in July of 2011, so 3.1.x is more than a year out of date. How do you forget to update for over a year? More than that, who would configure a server/website, especially a publicly accessible one, to require human intervention to install security updates?
    WilErz
  • Amazing

    WordPress 3.2 was released in July of 2011, so 3.1.x is more than a year out of date. How do you forget to update for over a year? More than that, who would configure a server/website, especially a publicly accessible one, to require human intervention to install security updates?
    WilErz
  • Reuters hasn't said how attackers got in

    Reuters has not told me (or anyone else, to my knowledge), how the attackers gained access to their site. While it's true that having an out-of-date version of WordPress is worrisome, that doesn't mean that they get in through WordPress. In the vast majority of cases I see, attackers get in some other way, and then once already in the system, they go looking for WordPress installs. It could be that, or it could just be a compromised password (note that a Twitter account was also compromised). It could be any number of things. The bottom line is that Reuters isn't saying, so all we can do is speculate. Your headline has unwarranted certainty.
    Mark Jaquith
  • Miss rose

    And surely ZDnet has some spam filters/approval process to vet the above inane comments from getting in? I see a lot of big business sites that leave their comment sections on their blogs 'unmanaged'.
    Krslll