Reply to post:

Carphone Warehouse cops £400k fine after hack exposed 3 MEEELLION folks’ data

Anonymous Coward
Anonymous Coward

>> Whereas the front end provided authentication should be piped through to the backend to establish a data access session in the context on the front-end user that wants to look up data.

It is fairly normal to have a single user account used by a web application to CRUD data from a database, with roles enforced within the web application.

The problem here seems to be that the permissions for that database user weren't tightly scoped to the database/schema supporting the Wordpress instance, it was presumably a root account with access to EVERYTHING on the db server.

This is rather sloppy.

Unless they were using Wordpress to store personal data on CW customers, which would be an "interesting" approach.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019