Our site got hacked during the weekend, causing loss of client data. We just finished rebuilding the site and it's back to working state.

Many of our clients received very distressing emails about an exploit on WPML plugin. This email was sent from an intruder who got into our site and used our mailer. Obviously, that message was not sent from us. If you received such an email, please delete it. Following links in hacked emails can cause additional problems.

We updated wpml.org, rebuilt everything and reinstalled everything. We secured access to the admin use 2-factor authentication and minimized the access that the web server has to the file system.

These are more precautions than actual response to the hack. Our data shows that the hacker used inside information (an old SSH password) and a hole that he left for himself while he was our employee.

This hack was not done via an exploit in WordPress, WPML or another plugin, but using this inside information. In any case, the damage is great and it's done already.

To be clear:

  • WPML plugin running on your site does not contain this exploit.
  • Your payment information was not compromised (we don't store it).
  • The intruder does have your name and email and might have access to your account at WPML.org.
  • The intruder indeed stole the sitekeys, but they are of no use. The sitekeys allow your site to get updates from wpml.org. The intruder cannot push any changes to your site using these keys.

We recommend now to all clients to reset their accounts in wpml.org. To do this, log-in to your account. Please don't follow links in emails, as the attacker may still be sending emails to trick you. To log-in, open a browser, type in https://wpml.org and log-in.

There will most likely be additional post-breach actions that we'll need to take. We'll send a follow-up email early this week with a more complete summary.

Of course, we all apologize for being responsible of this mess. Our team is available to help with anything that you need. You can leave comments here or use our contact form to write to us directly.