PHP user database leak allegedly led to PHP source code compromise

PHP user database leak allegedly led to PHP source code compromise

PHP maintainer Nikita Popov has published new details regarding the likely cause of a recent PHP source code compromise and insert of malicious code.

In a new blog post, Popov wrote that he no longer believes the incident was caused by a PHP server compromise as he had wrote late last month. Rather, he surmised the incident was likely the result of a user password leak from a PHP master server (

After further analysis of the access logs, Popov noticed none of the suspicious source code commits included any log entries for Gilotine, a tool the PHP team uses for version control and access control. As a result, Popov determined those code commits to were pushed by an unauthorized actor via HTTPS and password-based authentication.

Popov further added the master PHP system was running on old code and likely could have contributed to vulnerability exploit and password leak:

“The system, which is used for authentication and various management tasks, was running very old code on a very old operating system / PHP version, so some kind of vulnerability would not be terribly surprising.”

To help mitigate the threat, the PHP master server had been migrated to a new system ( and all passwords have also been reset. Moreover, the implementation uses parameterized queries, to make sure SQL injections do not occur. Finally, passwords are now stored using bcrypt.

Related Articles