Panama Papers and WordPress

By now, most everyone has heard about the hack of Mossack Fonseca and the subsequent release of millions of private documents that have exposed some shady financial practices of many well-known international figures. This security breach and subsequent release of private documents has become known as the “Panama Papers“.

What you may not know is that one of the avenues used to gain access to Mossack Fonseca’s internal database assets is exploitation of out-dated software. Specifically, WordPress and Drupal installations. According to WP Tavern, Mossack Fonseca is using a 3 year old version of WordPress (v4.1) for it’s main website (!).

Keeping your software version up-to-date is near the top of the list for ensuring security (read Securing WordPress for my recommendations to help ensure a secure website). Running 3 year-old software on your main website is just asking to get hacked.

UPDATE

Wordfence has published an article with additional details on how hackers may have gained access to Mossack Fonseca’s internal servers via outdated versions of WordPress and Drupal. It is particularly noteworthy that they were running a “slider” plugin infamous for it’s security vulnerabilities (Revolution Slider).