<![CDATA[ MODX Website Compromise - MODX Community Forums]]> https://forums.modx.com/thread/?thread=79060 <![CDATA[MODX Website Compromise]]> https://forums.modx.com/thread/79060/modx-website-compromise#dis-post-435698
Yes, one of the MODX web properties was not up to date and this was really not smart. We got burned, and this is our mea culpa. We have upgraded our websites to 2.2.4, changed all passwords related to our internal infrastructure, and set new policies going forward.

Your Passwords are Safe

No passwords or hashed passwords were disclosed. MODX does not store passwords on the affected websites by design (see Update 2 below), using a custom SSO application hosted on an external, secure server. Passwords are hashed and salted multiple times, with unique salts per user. Despite no access to passwords being disclosed, you may consider changing any non-unique passwords used across multiple websites.

We’re Sorry

We sincerely and profusely apologize for any inconvenience our lapse in diligence caused. We promise to do our utmost to be proactive going forward, taking every step we can to ensure we do not repeat this in the future.

Please Upgrade Your Sites

Security requires constantly staying on top of your websites; it’s an ongoing process and not a destination. As with any software, it’s important to to keep up to date when new updates come out. Upgrade your sites to the latest MODX versions when they’re released—no excuses.

Update 1: We clarified wording to accurately reflect that the actual passwords/hashed passwords were not disclosed.

Update 2: Further clarification that the user table field shared publicly by the culprit does not contain any passwords (we repurposed the field). It does contain:

  • Salts not used by our SSO
  • "cachepwd" (also not used by our SSO) which expires within minutes of creation.
smashingred Sep 03, 2012, 11:12 AM https://forums.modx.com/thread/79060/modx-website-compromise#dis-post-435698