Blog

Security Incident Notice: Uncanny Automator

Summary

We are writing to inform you of a security incident affecting Uncanny Automator and automatorplugin.com. On June 12, 2026, an attacker exploited a vulnerability in third-party software running on automatorplugin.com and gained access to part of our infrastructure. We removed the attacker’s access on June 13, 2026, published a verified-clean release, and have since investigated and remediated the affected systems.

Based on our investigation to date, this incident had two consequences that affect customers:

  • Customer personal information was accessed. The attacker reached the database behind our store and licensing system at automatorplugin.com and accessed customer account information — including names, email addresses, license keys, and associated website URLs. We are treating this as a personal-data breach. No credit card information was involved, because we do not store card details on our systems.
  • A tampered version of Uncanny Automator Pro was briefly distributed. A backdoored build of Uncanny Automator Pro version 7.3.0.5 was served from our update infrastructure to a limited number of sites (< 6%). A site running the compromised version contains malware and a backdoor and should be treated as compromised. We have notified these customers directly and provided steps for remediation. Uncanny Automator Lite (free) was not affected.

This post explains what we have confirmed, what was accessed, what you should do, and what we have done.

Important: watch for phishing

Because customer email addresses were taken in this incident, you may receive phishing emails impersonating Uncanny Automator — for example, messages urging you to download or install an “urgent update.” Only install Uncanny Automator updates through the official WordPress plugin updater in your dashboard, your account area at automatorplugin.com, or WordPress.org.

If you receive a suspicious email, do not click any links or download anything. You can report it to us at [email protected].

Who is affected

  • All customers: your name, email address, and purchase details may have been among the records accessed, which also means you may receive phishing emails (see the warning above). Treat any unexpected Uncanny Automator “update” or login message with suspicion.
  • Sites that installed the compromised plugin: a limited number of sites (< 6%) received the tampered build by updating to version 7.3.0.5 during the window below. Because the build contains malware and a backdoor, removing and reinstalling the plugin alone may not fully clean the site. We have identified affected sites from our logs and have contacted their owners directly with next steps.

Exposure window

The tampered build was available from our update server for a limited window from approximately 6:30 PM EDT on June 12 to 4:00PM on June 13, 2026, before we removed it and published the clean 7.3.0.6 release. We are contacting the sites we can identify from our download logs directly. If you are unsure whether your site updated during the window, follow the steps in What to check and do.

What happened

An attacker exploited a vulnerability in third-party software running on one of our servers and gained access to part of our infrastructure. From there, they did two things:

  • On the server that distributes Uncanny Automator Pro updates, they modified the packaged plugin so that licensed sites checking for an update would download a backdoored copy labeled version 7.3.0.5. The tampering was made to the distributed package on the update server, not to our plugin source code repository.
  • On our store and licensing system, they accessed customer account information. The specifics are below.

Information that was accessed

The attacker reached the database behind our store and licensing system at automatorplugin.com and accessed customer account information. Based on our investigation to date, we are treating this as a personal-data breach.

The customer information involved includes:

  • your name;
  • your email address;
  • your Uncanny Automator license key(s);
  • the website URL(s) associated with your license

What this means for you:

  • No payment or credit card information was involved, because we do not store card details on our systems. Payments are processed by Stripe and PayPal; card numbers are held by those processors, not by us.
  • Account passwords were not exposed in usable form. They are stored only as cryptographic hashes, never in plain text. As a precaution we have reset all account passwords — to log in, you must reset your password.
  • Be alert to targeted phishing and fraud. Because your name and email were taken, you may receive convincing messages that reference real details about your account. Treat any unexpected email — especially one urging you to “update” or log in — with suspicion. Only update through the official channels described above.
  • Update to the clean release. Confirm you are on 7.3.0.6, and that you are not showing 7.3.0.5. If you have automatic updates enabled, you can confirm the version under Plugins in your WordPress admin.

What we’ve done

  • Removed the attacker’s access on June 13, 2026 and secured the affected systems.
  • Removed the tampered 7.3.0.5 build and published a verified-clean 7.3.0.6 release. We reviewed the currently served package and found no injected code.
  • Rotated the credentials and keys that the attacker could have reached and reset all account passwords as a precaution.
  • Removed the backdoor artifacts (rogue administrator accounts, malicious database entries, and scheduled tasks) from our systems.
  • Identified the sites that downloaded 7.3.0.5 from our logs and are contacting their owners directly with remediation instructions and indicators of compromise.

If you need help, contact us at [email protected].

Status and ongoing risk

We removed the attacker’s access to our systems on June 13, completed our investigation on June 14, and have restored and remediated the affected systems. As of June 14, 2026, we have found no signs of reinfection in our systems. Importantly, securing our systems does not end every risk to customers:

  • Phishing is an ongoing risk. Because customer email addresses and purchase details were taken, you may receive phishing messages impersonating Uncanny Automator. Stay alert to unsolicited prompts to update or log in, and only update through official channels.
  • Malicious files may still circulate. Version 7.3.0.5 is no longer served from our systems, but the attacker may continue to distribute it from infrastructure we do not control. Installing a 7.3.0.5 build from any source will still infect a site.
  • Affected sites remain at risk until fully cleaned. A site that installed 7.3.0.5 should be treated as fully compromised; it is not resolved by an in-place update and requires the full remediation steps sent to affected users.

We will update this page if additional relevant information emerges.

Contact

If you have questions, received a suspicious email, or notice anything unusual on your account or site, contact us at [email protected].

We know how much you rely on us to deliver software safely, and we’re sorry for the disruption and concern this has caused. We will keep you informed as we learn more.

author avatar
Ken Young
Ken is the co-founder of Uncanny Owl. With a background that ranges from running a solo web agency to developing eLearning at Google he brings a wealth of experience to building innovative, user-focused products.
See Full Bio

Related Posts

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This page may contain affiliate links. Once in a while, we may earn a commission from those links. But with or without commissions, we only recommend products we like.
Back To Top