As you are probably already aware, there has been a recent increase in sophisticated cyber security attacks worldwide. Within the last two weeks, the New York Times, Wall Street Journal and Twitter have all documented breaches of their online systems.
Unfortunately, we also recently discovered that DotNetNuke Corporation's network infrastructure was breached by an unknown third party. The third party was able to obtain low level access to our servers, which means that there was the potential for private information to have leaked.
After thorough analysis of our server logs, we were able to determine that the original point of entry was through an unsecure configuration in our Demo website environment. This Demo environment has since been decommissioned; however, in the past it was set up in a custom manner which allowed an untrusted website visitor to create a new portal and become the Administrator of that portal. Once the untrusted user was an Administrator, they were able to exploit a vulnerability which allowed them to upload a script file that gave them additional privileges, including the ability to browse the file system and access website user accounts.
* It is important to note that the DotNetNuke CMS product is NOT susceptible to this type of exploit by default; the vulnerability was exposed by a custom configuration we had implemented specifically in our Demo environment.
Since we do not store credit cards or other types of sensitive personal information in our infrastructure, information disclosure was limited. That being said, there was the potential that some user accounts were compromised. The information leakage for these user accounts could have included information such as username, email address, some limited demographic information, and potentially a user's password.
As a result, for precautionary reasons, we are suggesting all users who have registered on website properties managed by DotNetNuke Corporation change their passwords. Some security best practices when it comes to choosing passwords are outlined below:
- Use a strong password ( i.e. something at least 9 characters long with random capitalization, numbers, and punctuation )
- Use different passwords for different online services
- Change your passwords regularly
- If you find it difficult to remember different passwords for different sites, use a web browser utility such as LastPass.com
As I mentioned above, the Demo environment has since been replaced with a more robust Trial environment built on top of Microsoft Windows Azure which provides superior security through physical isolation between websites. We have also taken additional precautions to harden our network infrastructure to ensure that a breach of this nature cannot occur in the future. This included migration of our website from encrypted passwords to hashed passwords, as well as the installation of a more robust intrusion detection system.
Our investigation into this matter is ongoing. We have taken comprehensive steps to prevent an incident like this from occurring again.
We apologize for the inconvenience.