Automattic

CASE STUDY

Automattic

Industry: TECHNOLOGY

Automattic chose SpyCloud to automate the process of detecting account exposures and protecting the account from a takeover. 

Challenge

Password reuse is a constant issue that often leads to account takeovers, yet finding exposed credentials was a labor-intensive, manual task that didn’t capture every instance.

Solution

Automattic chose SpyCloud to automate the process of detecting account exposures and protecting customer accounts from a takeover with proactive tools that force an immediate password reset.

Result

With the automated solution, Automattic is protecting millions of people from account takeover and preventing them from reusing exposed passwords for a safer customer experience.

How Automattic Is Protecting Customers Behind The Scenes

Automattic is the company behind one of the most popular online publishing platforms in the world, WordPress.com. WordPress.com is but one of the products offered by Automattic. The company has developed services like Jetpack and WooCommerce that give users additional functionalities such as ecommerce, website security, backups and anti-spam capabilities. With a motto of “making the web a better place,” clearly Automattic is defining how the internet can empower, inspire and delight.

Today, customer accounts have become a target for cybercriminals who seek to hack accounts to steal identities, data or privileges using stolen credentials. When people reuse passwords across multiple sites and apps, they make themselves highly vulnerable to attacks. Automattic took up the cause to ensure its customers were as secure as its own servers, offering multi-factor authentication and ensuring customers choose strong passwords that have never been exposed on the dark web.

Enhancing the Website Experience

Automattic’s mission is to give people easy access to a platform where they can share data beyond social media accounts. “We believe everyone should have their own place on the web, their own domain they own forever,” says Barry Abrahamson, CTO at Automattic. “While affordable, we give them inventive tools to make it unique, interactive and highly functional.”

What was once primarily a blogger’s paradise, WordPress.com has expanded to give businesses of all sizes across the globe a place to connect with an audience in ways never before possible. “Protecting our customers from account takeover is something we view as our responsibility,” says Abrahamson. “Many people may not realize the risk of reusing passwords across multiple accounts. Our goal is to both educate our users and protect their WordPress.com site as much as we can from all forms of attacks. We do all of the work behind the scenes so customers can just enjoy their site and the freedom it brings to express themselves.”

Automattic is unique. They don’t charge extra for the many security features embedded in their products. Everything is included in the platform because the company believes at its core that those features are too important to leave to chance. A secure presence on the internet is a basic right, not an opportunity to nickel and dime customers. To Automattic, Denial of Service, SSL, web application firewalls and account takeover prevention are features as important as any basic product functionality, maybe more.

“Our idea behind security is to provide best-in-class security features and functionality to all customers in a transparent, no-hassle way, whether they ask for it or are completely oblivious to its necessity,” says Abrahamson. “We ensure when we implement something, we make the default version as secure as technically possible. Security features are automatically enabled, without requiring the user to turn on a feature, so we know our customers are protected from bad people who want to cause harm.”

Proactively Preventing Account Takeover

Account takeover has come front and center in the past few years. According to Verizon, stolen credentials top the list of breach attacks, mostly due to the fact that nearly 60 percent of people admit to reusing passwords across multiple accounts. Automattic believes it can be more effective in protecting its millions of customers by embedding security solutions into its products.

One such solution Automattic chose was SpyCloud to automate the process of detecting account exposures and protecting the account from a takeover with proactive tools that force an immediate password reset. “Account compromise due to password reuse has become a larger problem over the years,” says Abrahamson.

“We found ourselves spending more of our time searching the dark web for these password lists and then going through manually comparing the list with our customer list, then proactively resetting their passwords. It was a huge time commitment. Now that we have an automated solution, we can protect hundreds of millions of people and prevent them from choosing passwords that have already been exposed.”

Plenty has changed since Automattic was founded, yet the company has the foundation in place to stay nimble to whatever comes next. Automattic continues to build tooling and algorithms internally that detect, block, alert and notify. “We will invest in security measures that are proven to bring value to our products by providing a safe environment for our customers,” he says. “Security will always be at the top of our priority list because it’s our responsibility to take care of our customers who trust us.”

About Barry Abrahamson

Chief Technology Officer may be on Barry Abrahamson’s resume, but Automattic insiders prefer to call him Systems Wrangler. Abrahamson knows technology. He was one of the original hires at Automattic and for more than 12 years, has worn plenty of hats. He is responsible for all of the technology and implementations at Automattic, including servers, data centers and security, as well as improving performance and security insights. Before joining Automattic, Abrahamson was a senior account manager at Rackspace Managed Hosting.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Understanding the Latest NIST Password Guidelines

WHITEPAPER

Understanding the Latest NIST Password Guidelines

Security Meets Usability

Over the years, security professionals have learned surprising lessons about how password policies affect user behavior. Faced with complicated password requirements and hundreds of online accounts to keep track of, people often take dangerous shortcuts—and criminals benefit.

To help organizations mitigate the risk posed by users’ bad password habits, the National Institute of Standards and Technology (NIST) designed a set of password guidelines that balance security and usability. The updated guidance abandons the long-held philosophy that passwords must be long and complex. In contrast, the new guidelines recommend that passwords should be “easy to remember” but “hard to guess.” According to NIST, usability and security go hand-in-hand.

Read this white paper to understand what NIST’s guidance means for your organization, including:

  • Why NIST has abandoned popular password complexity requirements
  • What’s special about new authenticator guidelines
  • How NIST approaches biometrics (hint: they’re not enough on their own)
  • What organizations can do to mitigate the risk caused by users’ bad habits

Solution: NIST Password Screening

Align with the latest password security guidelines from the National Institute of Standards and Technology (NIST).

Learn More

Download the Whitepaper:

Understanding the Latest NIST Password Guidelines

A few of our happy customers:

Related Resources

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Check Your Exposure

See your real-time breach exposure details powered by SpyCloud data.

Webinar: 6 Myths About Account Takeover

WEBINAR

6 Myths About Account Takeover

There are a dizzying array of security solutions flooding the market, each promising unmatched protection from account takeover and impenetrable authentication protocols. When the marketing and sales pitches are stripped out and actual capabilities are examined, we find few live up to their own hype.

Watch the 6 Myths About Account Takeover webinar and learn which popular claims are oversold so you can make informed decisions about your own ATO prevention investment.

In this webinar you will discover:

  • The most common ATO prevention strategies and why they aren’t enough. Hint: Multi-factor authentication, password managers and password rotations don’t stop all ATOs
  • Which product claims should raise red flags

Solution: Account Takeover Prevention

Reset stolen passwords before criminals can use them to defraud your users or access sensitive corporate data. Learn More

Watch the Webinar:

6 Myths About Account Takeover

Presenter Info

David Endler, President and Co-Founder

David Endler is an entrepreneur that started his career as a computer scientist at the National Security Agency. He then worked for Deloitte performing penetration testing and security product evaluations for Fortune 500 customers.

Catching the startup bug in 2000, he joined iDefense, a security intelligence firm based in Northern Viginia that was later acquired by Verisign. At iDefense, he formed the company’s security research team, launched the first public vulnerability buying market, and was a founding member of the Open Web Application Security Project.

In 2003, David joined TippingPoint, a networking intrusion prevention vendor. He founded their security research team, DVLabs, through which he led TippingPoint’s attack detection and coverage to numerous industry awards. TippingPoint, a public company, was acquired by 3Com in 2005 and later by HP in 2010.

In 2010, David left HP/TippingPoint to start Jumpshot, a startup that developed patented security software for Windows that leveraged gamification for fighting malware. Jumpshot was acquired by Avast Antivirus in 2013, and most recently David served as Director of Product Development at Avast for the last two years.

David is author of “Hacking Exposed: VoIP” and “Hacking Exposed: Unified Communications,” both published by McGraw Hill. He has been a repeat speaker at the RSA Security conference, Black Hat Security Briefings, Infosecurity Europe and featured in many top publications and media programs. David has a B.S. and M.S. in Computer Science from Tulane University.

A few of our happy customers:

Related Resources

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Check Your Exposure

See your real-time breach exposure details powered by SpyCloud data.