Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
While there was no specific mention of impacts to users in the post, Matt did reply in the comments:
We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.
He later went on to assert that credit card info and other personal info was NOT exposed and also verified this incident affected only the WordPress.com hosting service and not WordPress software itself.
WordPress.com currently serves 18 million publishers, including VIPs like us, TED, CBS and is responsible for 10% of all websites in the world. WordPress.com itself sees about 300 million unique visits monthly.
It's good to see Automattic's openness about the security issue, even when they are still investigating and don't honestly have the answers. Kudos to Matt Mullenweg for diving into the comments and responding as he has been.
The effect of that transparency is certainly visible in the many other comments to the post - including ones like this:
Thanks for letting us know Matt. Admire the transparency so much I’m signing up for a paid account.
Image credit: brotherM on Flickr
If you found this post interesting or useful, please consider either: