Catalyst IT Europe’s guidance on the recent rise in credential-stuffing attacks and how we’re keeping your platforms secure.
What’s happening?
Moodle HQ has reported an increase in malicious authentication attempts directed at Moodle sites worldwide. These attempts are being made by a botnet using credential stuffing, testing large databases of usernames and passwords leaked from unrelated breaches elsewhere on the internet.
Importantly, this is not a vulnerability in Moodle’s code, nor in Catalyst’s managed hosting services. Instead, it reflects a broader cybersecurity challenge that affects all online platforms: the reuse of compromised credentials.
The current wave of attempts is on a larger scale than typically observed and may present an elevated risk. Indicators suggest the botnet is attempting to install malicious plugins through exploited accounts, though other activities may also be underway.
What Moodle sites were affected?
This is a worldwide malicious exercise against many platforms, including Moodle and Totara sites. All Moodle and Totara clients should take measures to protect themselves immediately.
If you are a Catalyst-hosted client and your site has been targeted, i.e. if there was an attempt to access your Moodle or Totara site using compromised credentials, Catalyst is already aware of this and has put in place additional protective measures.
Our team has contacted, or is in the process of contacting, all affected users to notify them of the steps taken and the next actions required. We continue to monitor the situation closely.
Please note:
- None of the underlying services or platforms Catalyst provides has been compromised.
- While some sites were accessed with reused, compromised passwords, there is no evidence that access was escalated any further.
- Malicious activity observed on Catalyst-hosted platforms has not been effective thanks to the protections we already have in place.
What can I do to protect my site and its users?
Unfortunately, this type of malicious activity is common across all web-based platforms today. To help safeguard your Moodle site and its users, we recommend the following immediate actions:
- Enable Multi-Factor Authentication (MFA) for all user accounts.
- Reset passwords for privileged accounts (administrators, managers, etc.).
- Use Catalyst’s Password Validator plugin to prevent users from setting passwords that appear in known data breaches (via haveibeenpwned.com).
- Educate your users on password best practices, such as using a password manager to create and store strong, unique passwords for every site they use.
Why this matters
Malicious activity of this kind is common across the internet. The difference with Moodle is the speed, openness, and collaboration of the global community in responding. Working together, Moodle HQ, Certified Partners, and hosting providers like Catalyst IT are taking every step to ensure the security of learning platforms.
If you are a Catalyst-hosted client, rest assured that your platform is being actively monitored and protected.
We will continue to monitor the situation closely and provide updates as they become available.
With Catalyst, you have the Freedom to Innovate