How did ‘hackers’ get the Panama Papers?


Ever since the unprecedented Panama Papers leak, Mossack Fonseca, the company that created the offshore accounts for some of the world’s most powerful people, has said that this was not an ‘inside job’, but the result of being hacked.

In the subsequent days, several reports have surfaced with theories of how some easily preventable vulnerabilities could have been exploited. Wired reported that their systems were ‘outdated and riddled with security flaws’ and quoted an expert as saying Mossack Foneseca showed an ‘astonishing disregard for security.’

From a WordPress version that is out of date to a version of Drupal that has at least 25 known vulnerabilities, there are multiple vectors of entry for a slightly motivated hacker. Wordfence, a WordPress security plugin provider even went as far to show how someone with malicious intents could exploit the old version of the Revolution Slider plugin to steal the data. While the Hacker News community have criticized the company for downplaying the of other possible reasons, there are key security lessons to learn, even if you’re not a powerful law firm that sets up offshore accounts to minimize the tax exposure of your clients.

As a PSA, here are some best practices identified by Microsoft and Yahoo you may want to consider:

  1. Keep your web server up to date – companies work hard to fix vulnerabilities as soon as they are discovered
  2. Critical data (like client data and client portals) should be on a separate server than the website
  3. Change your passwords regularly – and please use a strong password
  4. Use antivirus software that monitors both inbound and outbound traffic
  5. Never store passwords in plain text – secure them using an encryption method such as MD5 or SHA-256
  6. Keep abreast of developments in web security
  7. If you use cookies, set reasonably short expiration dates
  8. Do not store any critical information in cookies
  9. If you have multiple users on your server, give them the minimum amount of privileges they require
  10. Do not run your application with the identity of a system user (e.g. admin)