Update (July 22, 2023):
We were informed this morning that these malicious users sent out a second email in an attempt to impersonate us. Please note that the situation regarding the data exposure has not changed. These malicious users are hoping that you will download files directly from them so they can exploit your WHMCS installations. SwiftModders WILL NEVER send you direct download files. All update notices will come from “swiftmodders.com” and will direct you to log in to your account.
We understand that it may be difficult to tell what email is real, but the most important thing to remember is that official emails will come from “swiftmodders.com.” If you have any questions regarding the validity or authenticity of emails sent, please do not hesitate to contact us.
Update (July 19, 2023):
After spending several hours investigating the root cause of the client email data breach, it was determined that our API keys were exposed in a decoded version of our Theme Installer plugin and utilized to access additional store information. This API endpoint for the store would allow the users to get a list of all our client’s email addresses and store purchase statistics. It is important to note that no credit card information or passwords were exposed. We are working diligently to try and mitigate the damage done by this exposure. The API credentials have been disabled, so you may have difficulty updating your products through the auto-updater. For now, you will have to download updates directly from your account. We are working on a solution to this issue to ensure that this does not happen again.
The original post will be kept intact for all users to read below.
Earlier this morning, we were informed that an advanced email scam campaign was initiated by malicious users and sent to all of our customers. It’s important to note that this email contains malicious files designed to steal your database information (specifically, your client table) from WHMCS. DO NOT DOWNLOAD THESE FILES!
If you have downloaded and executed the files in this email, it’s important that you alert your customers that their data may have been compromised and that they should change their passwords immediately. It is also important that you take extra security precautions to change passwords related to your WHMCS installation.
These malicious users registered a domain name (swiftmodders.me) not affiliated with our primary domain name. It’s important to check that all emails from SwiftModders originate from the swiftmodders.com domain. If you’re ever in doubt about the legitimacy of an email from SwiftModders, please do not hesitate to contact us.
We are investigating continuously to see if our customers’ information was compromised. As we gain additional information, we will update this blog post. We apologize for the inconvenience this has caused you, and we are here to help you if you have any additional questions.