Thanks. My crew put this write-up together. We're here if you have any questions. Jem and us published almost at the same time although I think we beat her by an hour or so. We're in contact. Funny coincidence we were working on the same story at the same time.
This has blown up on Twitter. Our team has stayed out of the online debate mostly other than answering questions. We're trying to just focus on the data here.
They took their public repo offline, but we mirrored it before they did that. It contradicts some claims they're making re timing. We're publishing a timeline tomorrow and are recording our weekly podcast tonight instead of tomorrow as per normal because of this insanity. We'll break it down on the show.
I guess what really jumps out at me here is how they're trying to gaslight the thing.
I'd also like to add that the DDoS functionality isn't what really jumped out at me. It was the ability to reset your site's admin password remotely using a hard-coded password that anyone can read. And then there is also the ability to drop all your tables.
When we contacted them before publishing via email, they explained that someone had been pirating their software so this was a countermeasure. (quote is in the Wordfence post above) I guess the idea was that they would destroy sites using pirated licenses. Then they backpedalled that later on after this went viral.
Depends who you ask. Also some sites use a SaaS model with API key for back-end access. They claimed license keys were stolen.
“Last year we had some serious problems after someone obtained a huge list of license keys and downloaded all of our products. The keys and files were then distributed on their file sharing site, which has since been taken down (not by us, ironically!). The drop tables function was put in place to try to stop this at the time.”
