A random person online has downloaded my full user database right after receiving access to my app.
He sent me the list of my users in a txt file - I was literally shocked.
Thank God it doesn’t seem to appear “ransomware” but more of a lead gen tactic - he wants to sell me cyber security services.
After a bit of research and chatting with a technical friend, he told me that he might have performed UserEnum tactics to reverse engineer all my sign-ups. He has also told me that this issue could be solved by applying a patch.
I understand that Wordpress is vulnerable to UserEnum by default (unless you apply some plugins), however this shouldn’t happen.
@Glide Team - I have the exact string that the hacker used to download the list. Please let me know if you need it and please let’s fix this key vulnerability.
So he got access to all the database?
Were you using any of the security measures that the Glide team has developed to protect the database???
Yes, the full list of registered users - their emails, basically.
What security measures?
Shouldn’t protecting our database a default measure?
I cannot locate any except from anonymising email addresses. And I’m not sure this would work for me and my users.
There are plugins for Wordpress to avoid UserEnum.
@maschera Row Owners - Glide Library
Please use Row Owners to protect which rows can be downloaded, including your user profiles.
Can you forward us the information you were sent, so we can review it?
I have enabled this, although I’m not sure it solves my issue.
Ok - I have just sent it you via chat.
Aw man, that’s freaky. Hope you were using virtual email addresses!