Our site was breached on the 2nd October with the attacker gaining access via a weak Administrator password to our WordPress site. We are deeply sorry to report that some user information has been compromised.
What user information has been compromised?
We want to remind users that no bank or payment details have been compromised as these are handled by payment gateways, PayPal and Stripe.
Users must assume any non-payment information they provided as part of the sign-up process has been compromised.
The attacker has already released usernames, emails, hashed user passwords, site financial reports, affiliate records, comments, transactions and Hub role holder information.
A number of hashed user passwords were cracked and released as plain text. We do not hold any plaintext passwords.
What has not been compromised?
No bank or payment details have been compromised as these are handled by payment gateways, PayPal and Stripe.
We do not store FPL login credentials, but WordPress does store Hub passwords (which, as above, were hashed, but some had still been compromised via the attack).
Do you store plaintext user passwords?
We do not, and never have, stored plaintext user passwords.
Do you sell user data to third party companies?
We do not, and never have, sold user data to third party companies.
What are we doing about it?
- We’re working with Action Fraud, the police, the ICO, our hosting company and security firms on the issue.
- We reset all user’s passwords on 4th October 8pm BST. You will need to reset your password when you next login. Please also reset similar passwords you may have used on other sites, including the Official FPL site.
- We have implemented a complex password policy which forces ‘strong’ passwords and limits login attempts.
- We have significantly upgraded our site’s password hashing policy.
- We have activated 2 factor authentication for site admins and will be looking to add to this for all users in the future.
- We have reviewed our site role privileges and are limiting access to only what is absolutely required.
- We have reviewed all our plug-ins, only retaining those that are absolutely required and implementing a system to ensure they are automatically monitored and updated.
- We have hired a specialist Cyber Security company to work with us in further strengthening our information security going forward.
- We are conducting a site penetration test via external experts and will act on their findings.
What you should do
We’ve reset your password, so any compromised passwords will not work. You will be required to create a strong and unique password.
Please go to this lost password link and reset with a strong password via email.
We strongly recommend that you also change your password for any other website where you may have used the same email and password combination, including the official FPL site.
When will you resume producing content?
We will resume our usual content from Monday 11th October.