Since the first reports of the massive Panama Papers leak, Mossack Fonseca—the company responsible for creating offshore accounts for some of the world’s richest and most powerful people—has claimed the leak was the result of an outside hack. Recent reports have pointed to an outdated Outlook login and web portal software as possibly weak security points in Mossack’s network.

Advertisement

Now a new theory has firmly zeroed in on a Wordpress plugin called Revolution Slider. In an extensive blog post, Wordfence, a Wordpress security company, says the Mossack website was using an outdated version of the plugin which has well-documented vulnerabilities that easily allows unauthenticated users to upload files and scripts to a site’s servers. Without getting into too much technical detail, this allows anyone who understands how the bug works to access to the machine they’re uploading to. Wordfence describes the exploit as “trivially easy” in their video.

“It is hard to confirm with full confidence what exactly happened but this report makes sense. WordPress and other CMSs are under constant attacks,” Jérôme Segura of Malwarebytes told Gizmodo. “The more extensions and third-party software a site uses, the more difficult it is going to be to protect it.”

Advertisement

For a company good at hiding money, Mossack was apparently terrible at hiding data. Wordfence says Mossack’s emails were stored on the very same server that could be easily accessed through the Revolution Slider exploit—after uploading a short script to Mossack, the emails were there for the taking. It would be like keeping all your money in a single checking account and having your PIN be 1-2-3-4. Wordfence also claims that, until very recently, there was no firewall protecting Mossack’s site, a security measure that might have been able to stop or at least limit the amount of data that was leaked.

Wired reported that Mossack hadn’t changed their web portal login in three years, when many companies have mandatory password changes, sometimes as often as every 30 days. The portal server also supported SSL v2, an obsolete communications protocol that is susceptible to DROWN attacks, a means of decrypting individual messages from a server. The version of Drupal (a back-end framework) Mossack was using was three years old and known to have dozens of vulnerabilities. The firm’s Microsoft Outlook login also hadn’t been updated since 2009.

Mossack Fonseca did not respond to requests for comment. We’ve been trying to reach the company behind Revolution Slider with no luck so far.