Security Incident
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
- April 13, 2011
WordPress.com News 
Thanks for the update team. Crap happens, but you’re always keeping us up to date. Much appreciated. Hopefully no one was exposed too badly.
LikeLike
Thank you for being transparent!
LikeLike
Thanks for the info. All the best!
LikeLike
Thanks for all your hard work, guys!
LikeLike
Thank you sir. 🙂
LikeLike
Thanks for keeping us in the loop.
LikeLike
Thank you for your prompt and honest post.
LikeLike
Yikes… Glad you guys are up front about it though. Much appreciated.
LikeLike
Thanks for keeping us informed, much appreciated!! Such a shame that some people feel it necessary to break into a site as great as WP.com. 😦
LikeLike
Thanks for being on this problem as quickly, WP IT team!
LikeLike
My advice is to change your password once in a while. In school we do this to prevent security issues.
LikeLike
Honesty and transparency are rare. Thank you for being upfront and so quick to let us know!
LikeLike
Thanks for the info. 🙂
LikeLike
Honesty is the best policy.
LikeLike
This is what I find so great about WordPress.com. It takes a lot of guts to admit a fault which may have otherwise been overlooked by the community. Thanks for the honesty and transparency.
LikeLike
Thank you, your advise is heeded.
LikeLike
My condolences.
Were you storing passwords in plain-text or hashed?!
LikeLike
WordPress passwords are hashed and salted using phpass.
LikeLike
Thank you for letting us know! Sorry it happened. Stupid hackers!
LikeLike
Thanks for telling us!
LikeLike
So should we be concerned about our password being taken? This post alludes to that but doesn’t confirm.
LikeLike
We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.
LikeLike
Thanks WordPress.com. These things happen when you are the coolest kid on the block.
Will roll out a new password sooner than the normal 30 days to be safe(r).
Cheers, Stephen
LikeLike
Hopefully nothing too sensitive was breached. Thanks for keep us in the loop.
LikeLike
It’s great that you have told us as soon as you knew. It makes it far easier to trust you.
LikeLike
Security breaches are a fact of life in todays world. Honesty is the best policy for those that you serve. Eternal vigilance is the price of freedom.
Those things that don’t kill us make us stronger… I guess that’s enough proverbs for the day. Thanks for informing us.
LikeLike
Thanks for watching out for us. 🙂
LikeLike
Thanks for informing us, Matt. 😀
LikeLike
I trust you folks and your wonderful product. Knowing that you will stay on task and keep me informed, I find no reason to be seriously concerned.
LikeLike
The fact that you informed us really makes you trustworthy, thank you very much.
LikeLike
Thanks for your hard work in keeping this site secure! Passwords should be complex, long, and changed every so often!
LikeLike
Thanks for notifying us.
LikeLike
Thanks for keeping us informed!
LikeLike
Gyuh. Thanks for the heads up.
LikeLike
So can you elaborate on what services were affected and whether any user data was likely to have been exposed? Are you reiterating those security fundamentals because users have some reason to be concerned, or just because?
LikeLike
This potentially affects several of Automattic’s services. Based on the information we have we don’t think user information was accessed, but it’s certainly possible, and so wanted to remind people of security best practices.
LikeLike
Another thank you for the info. I haven’t really my changed password for a long while anyway, so I changed today. Can’t hurt. 🙂
LikeLike
I really appreciate your letting us know, Matt and WP.
LikeLike
What a thing for a brand new user (as of last evening) to hear. Not very promising, but at least the whistle blew. Good for you!
LikeLike
Wow, it’s been nothing but bad news from you guys lately. I’m disappointed that these attacks continually get the better of you.
I’m not sure what drugs the rest of the commenters are on (or perhaps you just screen comments so only the perkiest, most upbeat get published, in which case, I worry about you guys even more) but I am distressed by the continual service interruptions and security breaches.
LikeLike
I’m sorry, you should expect better from us and we’re trying our best to live up to those expectations.
LikeLike
Thanks for letting us know!
LikeLike
Thank you for the warning, it’s greatly appreciated!
LikeLike
I appreciate the heads up.
LikeLike
Thank you for the 411. I know that your organization does everything it can to ensure that this won’t happen again. The world is full of individuals whose skills and knowledge in this area pose a constant challenge for you.
I feel safe with WordPress.com, and I couldn’t be happier with the service.
LikeLike
omgtheyhackzurserverzweizgunnadieztakecover!
Eh at this point, I expect all of my data to be all over the internet. Not even government networks are safe anymore. I say if you put your data on any site, expect that it will probably at one time or another get stolen. I don’t blame WordPress at all, mind you. I am sure they did everything they could to avoid such an occurrence, but things happen. At least they let us know about it.
LikeLike
:@ tough break! I guess I’ll have to change my password. 8)
LikeLike
Thanks for informing us. It shows that WordPress.com is very interesting.
LikeLike
Thanks for the heads up. Keep the communication open, honest and timely, and you’ll stand head and shoulders above the rest of the recent victims. Good to know that my password is hashed and salted [?!], but this is a useful prompt to change it anyway.
LikeLike
Thank you for the info!!!
LikeLike
Appreciate the timely information, and your transparency.
LikeLike
I appreciate your honesty in revealing this breach.
LikeLike
Thanks for letting us know. We trust WordPress.
LikeLike
The timely and honest update, as well as the security suggestions are much appreciated.
LikeLike
Thanks for the information and good luck in your investigation. What a strange world we’re in. Keep up the good work!
LikeLike
Glad there is someone willing to do the hard work at WordPress, so I can do easy stuff like blogging.
LikeLike
Thanks for being open, I appreciate it. Gives a new meaning to kicking the bucket 🙂
LikeLike
Thanks for the heads up, Matt. It’s only natural that when you’re Number One, everyone will be gunning for you. Consider it a compliment. 🙂
LikeLike
Thanks for the heads-up. Who knows what the hackers were looking for.
LikeLike
Thanks a lot for the Honesty and fast Notification. Just great Behavior!
LikeLike
Wow! Thanks for letting us all know. Don’t those hackers have better things to do.
LikeLike
Thank you for always being on top of everything! For the record, I’ve gotten about six different spam emails in the last half hour. I wonder if it’s related, since usually my email system doesn’t let any spam get past the spam filter.
LikeLike
It is highly unlikely it’s related, but we will keep an eye out for other users reporting anything similar.
LikeLike
Thanks for telling us. 🙂
LikeLike
Hey Matt, great job on updating us all. Don’t you dare feel guilty if problems occur. You guys are terrific, as is this site.
LikeLike
That sucks. Thanks for the advice.
LikeLike
By ” potentially anything on those servers could have been revealed” do you mean that our credit cards numbers and other non public infos like personal phone and such may be available on the black market ?
LikeLike
We have no reason to believe any personal info like phone numbers were revealed, and definitely not anything like credit card numbers.
LikeLike
Thanx for sharing. My sites seem perfectly fine.
LikeLike
Thank you for being up front with us by communicating and protecting us and WordPress. I hope the forensic study leads you to the party who conducted this action.
LikeLike
❤ you WP team of fabsters!
LikeLike
Security is all of our responsibility, thank you for the heads up as well as the untarnished presentation.
LikeLike
All my WordPress installs are on private domains not wordpress.com — is this breach only of concern to users on the wordpress.com servers?
LikeLike
Correct.
LikeLike
Thanks for being upfront and sharing the info right away. Your hard work is appreciated!
LikeLike
Kudos for being so open about the incident. Many other websites would just deny that any data may have been revealed to make it sound like they are 100% secure when they really aren’t.
LikeLike
Thanks a lot for letting us know about this. It must have been hard to say! My dad was in IT security, and he was on me all the time for passwords, etc, since security is hard to keep these days.
LikeLike
Thanks for the alert. I wonder what the hackers stand to gain from whatever they ‘got’.
Cheers.
LikeLike
It is too early to say — it appears that the activity was largely exploratory, not targeted at a specific area, but we are still investigating.
LikeLike
Matt, thanks to you and everyone at WordPress for creating and maintaining such an excellent site that is always getting better.
LikeLike
Thank you for letting us know! It is appreciated.
LikeLike
Thank you so much for being open and honest about the problem at hand. Continue the excellent work!
LikeLike
Thanks for letting us know, Matt. When we change our passwords, will we then have to reauthorize publicize services like twitter, etc.?
LikeLike
Nope, those connections should be maintained.
LikeLike
Good thing I have nothing worth stealing. 🙂 Thanks for saying what you did not have to say!
LikeLike
Thanks for the update, the disclosure, and your honesty. I appreciate that!
LikeLike
Thanks for the information!
LikeLike
Thanks.
LikeLike
Thank you. A lot of companies won’t tell you when they have a problem like this. It’s nice to know you are honest and clear.
LikeLike
Thanks for the information and your dedication to clearing this up.
LikeLike
Too many security incidents around the web. I am already using different passwords, but there is still a lot of uncertainty. Stupid stuff. 😦
Thanks for the update!
LikeLike
Thank you for the update.
LikeLike
Thank you for conveying the tough news.
LikeLike
I really appreciate you telling us about this. I actually feel more secure when companies I do business with, let me know that there’s a problem and that they’re working to hopefully prevent this in the future as well as protect my information. Why can’t we all admit a mistake or potentially damaging problem or issue??
What I don’t like is when people sweep things under the rug as if nothing happened… “Let’s not say anything and maybe no one will find out.” It’s very important for a company to tell me when there’s a problem, because now I’m equipped to do what I need to do, on my end!
Thanks again and Kudos!
LikeLike
Thanks for the update, Matt. Tough as it is, you guys always shine in letting everyone know – and transparency means trust – so kudos to you.
One question though: is VaultPress hosted on the compromised servers, and if so are there any implications for sites using its plugin? My question relates to the access details and APIs used by VaultPress to access the blogs it backs up. If any of these were exposed by the hack, then presumably we’ll need to change them.
LikeLike
Thanks for your honesty, and for your suggestions.
LikeLike
Thanks for the announcement. Remember you have to beef up security, seeing as you host some very important VIP blogs and newspapers on your servers. Best of luck.
LikeLike
You guys are awesome!! I really appreciate you spilling the beans so quickly. Gob Bless your efforts and hoping you can find the people who did this.
LikeLike
Have you been able consider any motivation, or particulars to any sites, political or otherwise?
Thanks
LikeLike
Nothing to say at this time.
LikeLike
Appreciate the update!
LikeLike
It’s quite strange to read “Security incident” near you’re big smile on your gravatar. Thank’s for the clear message.
LikeLike