WordPress themes, plugins and training provider iThemes is asking all customers to reset their passwords following an attack on its membership database.
In a Tuesday post, Cory Miller, CEO of iThemes, wrote that attackers may have compromised usernames, passwords, email addresses, first and last names, IP addresses, names of purchased products, coupon codes, access times, and payment receipt information. Payment card information was not affected.
In a follow-up Thursday post, Miller wrote that passwords were being stored in cleartext and that 60,000 past and current users were directly impacted.
Migration is the primary focus right now – notably management and storage of passwords and other data. An audit of the IT stack, as well as products and code bases, will be performed in the coming days. iThemes is also reviewing and updating security incident response and detection procedures.