Security Incident
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
- April 13, 2011
WordPress.com News 
Thank you so much Matt for letting us know. 😀 So honest an attitude really makes my day.
LikeLike
Thank’s for the heads up. Nothing beats transparency.
LikeLike
Straightforward and honest. That’s why we love you. Good luck with your investigation and finding solutions.
LikeLike
Thanks for your efforts. Happens to even the biggest organizations and companies. Looks like you still have everyone’s trust.
LikeLike
Thank you for the update and great tip about the password tools – had never heard of them before but will definitely give them a go!
LikeLike
Thanks for the update.
LikeLike
From what you’ve said above, I presume that the exploit method is (was) specific to WP.com — but to clarify:
Does this exploit concern the code in WP.org at all?
LikeLike
It does concern WordPress.org-the-website but not WordPress-the-software that you likely host someplace else.
LikeLike
Thanks for the heads up! As tough enough as this ordeal must have been. I thank you guys for being so upfront with us! *Changes password while writing this*
LikeLike
Almost every site has its challenges but like most individuals here I am truly grateful that there is a company dedicated to keeping others informed. Thanks for letting us know and hope things get worked out soon!
LikeLike
That’s what I love about you guys. Always open and upfront. I am not surprised by this given the situation in the world. Thanks for being so viligiant. With you all the way!
LikeLike
Thank you for your openness. I’ve been with you for 3 months now, and I am very impressed with the manner in which you keep me in the loop.
LikeLike
Thank you for the heads-up.
LikeLike
Hey Matt,
I have a wordpress.org site that was working perfect yesterday, and today when I log in, all my information is completely gone, I cannot even edit or add any new posts to my blog, all my tabs, stats, widget bars are all missing but my public site looks and operates normal. Was my site effected by this breach or is it an unrelated problem? I really appreciate you taking the time to respond to the posts on here. Thanks.
LikeLike
That sounds unrelated — I would recommend contacting your host, and let us know if they’re unable to help you.
LikeLike
Thanks Matt, I opened a ticket with my host. Appreciate your quick reply.
LikeLike
Thanks for the update!
LikeLike
Hi Matt!
Thanks for the advice.
Count on us from Brazil.
LikeLike
tough times! thanks for the info. it is reassuring to know you’re paying attention to comments after the fact too.
hopefully, this can result in some new fresh eyes on my blog! 😉
LikeLike
Thanks for transparency and keeping us informed, and for suggestions.
LikeLike
Thank you for keeping us informed. It also gave me the opportunity to install LastPass, which I had not heard of but which is an excellent product. Thank you
LikeLike
We would probably never even know it had happened. So, thank you for reassuring us this is the best place to be 🙂
LikeLike
Funny, this happened the day I got the most hits I’ve ever gotten — like an absurd amount on a post about Chinese espionage via telecom infiltration.
I also appreciate this breach being declared, but think members should receive an email as well.
LikeLike
Probably not related, but congrats on the traffic
LikeLike
Would be great if you included the link in the email on the whereabouts to change password..
LikeLike
Sorry about that, you can reset your password here: https://wordpress.com/wp-login.php?action=lostpassword
LikeLike
The drug we are on is called gratefulness. 🙂
Although I really do not like Internet, I really am glad I go there via WordPress. And although I really could not understand word of the warning message, I am glad I could come here and realize I do not need to. Thanks for this discussion, and for welcoming our replies.
I had planned to ask a question, today, when I got on, about a totally unrelated topic, but I think I will wait and let y’all catch up or whatever you have to do about this trouble. So will catch you later.
LikeLike
Good for you guys for putting the information out there. From a Marketing and Communications standpoint, it’s better to be honest up front than to try to explain after it gets out. I’m happy to see that it looks like our personal information didn’t really get out. 😉
LikeLike
You are all doing a fine job. From what I can surmise, your organization could be one of the poster children for Eso-Merit Marketing. Excellent delivery of information with the intention of relationship. Well done.
LikeLike
Thanks for the heads up. Besides changing passwords any other steps you recommend taking?
LikeLike
That’s all right now.
LikeLike
I’m really scared for the safety of the blogs, but I appreciate that you let us know in advance. Let us know if there is anything else that we can do to protect our precious blogs! 😀
LikeLike
Many thanks for the notice. We hope you can fix the problem.
LikeLike
Thank you for the update. Honesty, promptly, is always appreciated!
LikeLike
Thanks for letting us know Matt. Admire the transparency so much I’m signing up for a paid account.
LikeLike
Wow — thank you!
LikeLike
Thanks for this note. WP R-O-C-K-S! Shame (in the strongest sense of the term) on those who hacked. They have their reward in full.
LikeLike
Just a thought. I’m thinking like a black hat. Have you tried to check if there was something inserted to your code. If I am going to risk being detected intruding your server, I’m going to make sure that I will have information about your next move. I know you guys have efficient IT experience but I just wanna throw my idea just in case.
Thank you for informing us.
LikeLike
We have done a very thorough check and audit of all our systems.
LikeLike
Thanks for the info!
LikeLike
That’s what I like about WordPress, your honesty. Sure you guys don’t want to run for President?
LikeLike
Thanks so much.
LikeLike
Thanks for being up front about the issue. You have earned my trust.
I did notice that my post kept floating around – I don’t know if it had to do with the breach or my lousy skills.
Since I’m not writing about national security or have a massive reader data base, I’m not too concerned and trust you’ll do the right things to prevent this break in stuff in the future!
Keep up the good work,
LikeLike
Hello Matt. Have you considered that logs of your servers may have been tampered? With root access an intruder can erase all tracks.
LikeLike
We have considered that.
LikeLike
WordPress.com Hacked – Time To Change Your Passwords – and the Positive Side of Transparency…
In a blog post titled simply “Security Incident”, Matt Mullenweg stated: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. and We presume our source code was expo…
LikeLike
Just reiterating all above posts, thanks for update.
LikeLike
“Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”
I wonder how many WordPress users will understand much of the above? What is ‘Automattic’for instance?”
It sounds perfectly horrifying for users. I hope WordPress will come up with information that’s understandable only by techies.
Ann Isik
LikeLike
Sorry it was confusing, if you’d like to learn more about Automattic visit here: http://automattic.com/
LikeLike
Thanks for keeping us in the loop! WordPress is the best ! Better than any other blogging platform!
LikeLike
Is it possible to know or obtain a note in our blogs, from you people, with a specific warning that our pass or something else was stolen or an abusive access was carried out in our blogs….?
LikeLike
Not sure what you mean, but drop us a note in support and we’ll try to help you.
LikeLike
Thanks! I appreciate your time here commenting, and the clarification.
LikeLike
I am not trying to get specific on detail, but just wondering something. Why do you think it was motivated for the source code on the servers and not the database information?
LikeLike
That’s based on the information we’ve gathered and seen so far.
LikeLike
Crap happens. Thanks for being open and transparent about it. I wish other sites were!
LikeLike
Nearly a week ago someone pointed out a problem with our WP-hosted site (it returned 504 – http://bit.ly/g5fBOW).
Was the beginning of the incident?
LikeLike
That sounds unrelated, but please give us a shout if it happens again and we’ll take a look.
LikeLike
Thank you for this. Can you tell us a simple way to back-up our site data? I am on a mac.
LikeLike
You can download an XML file of your blog’s content by going to Tools -> Export in your WordPress.com dashboard. You can find step-by-step instructions at https://wordpress.com/support/export.
If you’re looking for a secure backup for your WordPress.org site, check out VaultPress. 🙂
LikeLike
Did the attackers get the /etc/passwd file or the password database hashes? If so, then everyone should be a lot more concerned than whether or not attackers can get into your wordpress account. They’ll work on breaking the hashes with wordlists, rainbow tables or brute force and then start trying out the username/passwords on other web sites that you might use.
LikeLike
For servers it doesn’t matter since all the passwords were changed anyway. As for the database it doesn’t look like it, but even if they did the hash and salt method we use for passwords would make them difficult to reverse.
LikeLike
How bad is this?
LikeLike
It’s very serious, that’s why we wanted to communicate it on our blog.
LikeLike
Thanks for letting us know. Another reason to love WordPress. ❤
LikeLike
Thank you Matt for the trusted assurance. Our utmost confidence is with you and team Automattic. Y’all get two smiley faces! 🙂 🙂
LikeLike
Thanks for the Security Incident post. Perhaps of interest to WordPress, in case you’re not already aware, are the subscriber notices issued by McKinsey Quarterly and Air Miles, both reporting similar security incidents (with their relative service providers), both just a little earlier this month, and both advising that the breach appears benign …
LikeLike
Thank you very much for this news update, Matt!
LikeLike
It may not be the case but interestingly I am reading this just after Malaysiakini moved to WordPress.com when their servers is under attack in light of Sarawak State Elections. See http://malaysiakinicom.wordpress.com/2011/04/13/malaysiakini-moves-to-new-site-goes-free-3/
LikeLike
Sorry to hear about it but thanks for the heads-up. WordPress has a lot to teach other on-line presences: always transparent, helpful, flexible and evolving. I love WordPress.
LikeLike
Thank you for letting us know.
LikeLike
I would like to know why morons would hack into WordPress. What advantages do they hope to gain? Are they after WP technical details or trying to get personal details off web sites? If the latter, they must be hard up for entertainment. Did this happen in the last 12 hrs? Keep up the great work. William
LikeLike
It’s impossible to know the motivations, and we’re not commenting any more on the attack right now.
LikeLike
Could passwords from twitter accounts linked to wordpress accounts be stolen or do I just have to worry about my wordpress password?
LikeLike
We do not store your Twitter account password, so no need to worry there.
LikeLike
“Our investigation into this matter is ongoing and will take time to complete.”
Well of course, take your time, China is a fairly large place after all, so it’ll probably take less time if you concentrate on searching for your hacker in the coastal cities first.
LikeLike
Thanks for letting us know!
LikeLike
Thanks for the info.
LikeLike
Thanks for the info.
LikeLike
It was the space aliens. I know they have been eyeballing Automattic for quite some time wondering how such advanced technology could possibly. You should feel honored they bent space-time to hack in and retrieve it.
LikeLike
Thanks for the update. I actually did get a bunch of spam comments this weekend and some of them made it through to pending section. I deleted them all. Is that a sign that my account was hacked? Nothing has changed on my site.
LikeLike
Nope maybe was just a blip in Akismet.
LikeLike
Q = what can happen if someone has broke in? does it mean there could be an identity theft problem?
What will we see if someone has taken our info?
LikeLike
We don’t think anyone has taken your info, so you shouldn’t see anything.
LikeLike
I am brand new to blogging, only 2 days in haha. It makes me feel good that ya’ll are open about these types of things! The internet is a scary place because your info can go anywhere without you knowing!!
LikeLike
I’m impressed that WordPress is so honest about this. It would have been very easy to try and hide it. Kudos!!!!!! That’s why I am a WordPress user 😀
I do hope the passwords weren’t cracked though..
LikeLike
Thank you for being honest!
LikeLike
Thank-you so much for sharing this information with us, especially so quickly after it occured! It makes me question how safe the internet is. Certain websites are safer than others obviously, but WordPress is a site I use frequently and would have never expected an issue like this to occur. I plan to take your advice on the password suggestions. I know it sounds like common sense, but so many people use the same password or have a real weak one, so thanks for sharing. Keep up the blogging.
LikeLike
is it required to change password?
LikeLike
It’s not required, but it’s a good idea to update your password regularly as a security fundamental. You can reset your password at https://wordpress.com/wp-login.php?action=lostpassword.
LikeLike
Thanks buddy!!!
LikeLike
I thought it was not safe to change the password now when the problem still unresolved.
So I hope you’ll inform us when this problem has been solved
LikeLike
It’s safe to change your password. You can reset your password here: https://wordpress.com/wp-login.php?action=lostpassword
LikeLike
Thanks for being upfront and informing us. We have full faith in WordPress that all will be resolved.
LikeLike
I can not say that I am comfortable or that I feel this is a fully “transparent ” statement. Do you believe that personal information was revealed? Are you recommending that we change passwords and email connections?
I am doing sensitive political work with correspondents in the Middle East. I feel that I need more info.
LikeLike
It is highly unlikely that any personal information from your blog or account was looked at.
LikeLike
Appreciate the warning, Matt.
Even when the news isn’t so cheerful it’s still good to know that we’re dealing with honest, open people.
LikeLike
Thanks for taking care of business and the users. Any idea what the intention was?
LikeLike
Nothing to say at this time.
LikeLike
I never cease to be impressed with how you guys handle these issues. It is exemplary!
If every organization handle themselves as WP does, the world would be in far better shape!!! TY
LikeLike
Thank you for promptly posting this.
LikeLike
Thank you Matt! Did this affect self hosted blog accounts as well?
LikeLike
Self-hosted accounts are not affected.
LikeLike
I’m new to WordPress and I appreciate this kind of “heads-up”. As much as I hate trying to remember several different (complicated) passwords, it’s getting more and more important to do so these days!
LikeLike
Thank you. I appreciate the disclosure because it reinforces my sense that there are decent and solid people behind WordPress. I did a lot of research before I launched my blog and am very happy I chose this company.
LikeLike
Thank you for the transparency!
LikeLike
Thanks for informing the users, crap happens. I got spam to the email address I use here on 13 Apr 2011 18:26:53 -0000, offering “Rayon PCIe Serial Cards” from Acceed in german language. May be pure coincidence, spam on that address is very rare but does happen (like once every few weeks).
LikeLike
Most likely pure coincidence – there’s a lot of spam out there. 😉 Feel free to drop us a line if you have any questions.
LikeLike
Appreciate the initiative to let us know even if (so far) users don’t experience anything strange (yet)! Will change passwords now… Not that they’d be interested in my blog anyway but if they will be trying to make a statement (and just gathering force now), then it’s time to secure our blogs.
LikeLike
I have suddenly been receiving mail from blogs to which I never subscribed. Could this be related?
Thanks!
LikeLike
It’s likely unrelated, but drop us a line with details and we’ll take a look.
LikeLike
I really believe that the true measure of an organization occurs not when they are at their best, but rather when they are at their worst. That is when you see real leadership. That is when you see people making tough decisions and going that extra mile to make things right.
Thank you Matt, and the rest of the Automattic team. We really do appreciate all your hard work. We know you’ve got it covered.
LikeLike
Thanks for the heads-up. Hope who ever it was got an earful! Any idea what they were actually after? I know there is a concentrated attack on emails in general going on at the moment, looks like a random-sort program kicking up short alphanumerics, repeating for their passwords, then shooting some very unpleasant spam to their contact lists. Any chance these guys were shopping for a “mailing list”?
(btw, “WordPress passwords are hashed and salted using phpass.” – sounds delicious!)
LikeLike
The activity appears to have been largely exploratory, and not targeted at a specific area. We’re still investigating.
LikeLike
Thanks Matt! “Go Get em” and thanks to WordPress for making me look good!
LikeLike
Thanks for the (open) news. The most important thing is to react/recover quickly. Hopefully it doesn’t happen again.
LikeLike
Thank you for the honesty! I have been meaning to change passwords so I just did that for a bunch of things.
LikeLike
Appreciate the announcement.
LikeLike