While neither the attacker nor attack vector in the recent Panama Papers hack have been identified, Forbes cited outdated WordPress and Drupal installations as potential vulnerabilities that may have aided in the breach.
WordPress Tavern reported that the Mossack Fonseca domain had a WordPress-powered site running on version 4.1 of the software, which was released in December 2014.
Its main site also loads a number of outdated scripts and plugins.
The Mossack Fonseca client portal changelog.txt file is public, showing that its Drupal installation hasn’t been updated for three years.
Wired UK noted that since the release of Drupal 7.23 – the version on the law firm’s website – the software has received 25 security updates.
“Which means that the version it is running includes highly-critical known vulnerabilities that could have given the hacker access to the server,” said WordPress Tavern.
Wired also found that Mossack Fonseca ran its emails through a 2009 version of Microsoft’s Outlook Web Access, without any encryption.
An anonymous source told Wired that the server was not configured according to best practices. “We’re talking about a misconfigured server that enables directory listings,” they said.