Hacked via forgot password

  • Someone this morning managed to go in to forgot password and change my password, I got an email with

    ‘Password Lost and Changed for user: admin’

    So immediately set about going into PHPMyAdmin and changing things in there to get me back in control of my blog.

    Just how on earth does someone change my password using this method? Is this something that will easily happen again?

Viewing 4 replies - 1 through 4 (of 4 total)

  • What version of WordPress were you running at the time?

    Thread Starter mdnl

    (@mdnl)

    WordPress version: 2.8.4

    WordPress exploits are not new.

    Hackers have found a way by passing a special value in the key parameter of the reset page URL or something like that.

    Someone has found a way to reset the admin password even without any confirmation and this can have serious consequences.

    We were told that hack was open in the previous versions and then got fixed, as long as I remember, but…

    Thread Starter mdnl

    (@mdnl)

    Well it looks like it certainly hasn’t been sorted, I got the email and by the time I’d opened the email he had already changed the admin email and password, it’s a good job I quickly went to PHPMyAdmin before he had a chance to do any damage.

    Is there anything I can do on my end to try and counteract this?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Hacked via forgot password’ is closed to new replies.