Gmail Password Leak Update
We’ve taken extra steps to protect WordPress.com members.
This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users.
We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password. We also sent email notification of the password reset containing instructions for regaining access to the account. Users who received the email were instructed to follow these steps:
- Go to WordPress.com.
- Click the “Login” button on the homepage.
- Click on the link “Lost your password?”
- Enter your WordPress.com username.
- Click the “Get New Password” button.
In general, it’s very important that passwords be unique for each account. Using the same password on different web sites increases the risk of an account being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.
It’s also a good idea to enhance account security by enabling two-step authentication on services that support the feature. Two-step authentication can be set up on WordPress.com by following these steps:
- Browse to WordPress.com.
- Hover over the user avatar at the top right of the screen.
- Click “Settings.”
- Click “Security” from the submenu.
- Follow the instructions provided there.
We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.
- September 12, 2014
- Notifications, Security
WordPress.com News 
thank for your kind and consideration
LikeLiked by 4 people
That was awesome of you!
LikeLiked by 10 people
Thanks for staying on top of this and taking care of us.
LikeLiked by 7 people
It seems like you hear of someone being hacked on almost a daily basis. My email was hacked over a year ago. Real pain in back side. I bought a password program and use a different 18 to 20 character password on every site. Have not been hacked every since but not as quick and easy to go to different sites. I try to remember and change some of them that go to sensitive sites like my bank on a some what regular basis.
Frank
LikeLiked by 16 people
From Gary Tate / gate3@juno.com I’m trying to reset my account with WordPress
Sent from my Verizon Wireless 4G LTE DROID
“WordPress.com News” wrote:
> a:hover { color: red; } a { text-decoration: none; color: #0088cc; } a.primaryactionlink:link, a.primaryactionlink:visited { background-color: #2585B2; color: #fff; } a.primaryactionlink:hover, a.primaryactionlink:active { background-color: #11729E !important; color: #fff !important; } /* @media only screen and (max-device-width: 480px) { .post { min-width: 700px !important; } } */ WordPress.com Daryl L. L. Houston posted: “This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPr”
LikeLiked by 1 person
If you’re having trouble, head here to try to reset. If that doesn’t work, try the “Need More Help?” link at the bottom, provide the requested info to help us validate access to the account, and we’ll try to get you squared away.
LikeLike
You guys are GREAT!!
LikeLiked by 4 people
Please help. I am not able to get into my site http://www.LifeInSmallBites.com and have repeatedly asked for new password update. No link is ever sent from WordPress to my e-mail jim@lifeinsmallbites.com Please send link so I can update my Password. Thank you – Jim
LikeLike
Jim, be sure to check your spam folder to make sure the emails aren’t being sent there. If not, then head over here and click the “Need More Help?” link at the bottom. Provide the requested details that’ll help us validate your access to the account and we’ll do our best to help get you logged back in.
LikeLiked by 1 person
Thanks, WordPress! You are wonderful!
LikeLiked by 1 person
I see a time coming where there will be daily hacks and security breaches that will change the fabric of how we do business. Everyone is going to have to be knowledgeable on IT and security issues in order to stay abreast of the threats lurking on every webpage/site. It is ashame we have to deal with these issues, but glad your on top of it nevertheless. I hope those who had their emails breached know, some may never know until it is too late.
LikeLiked by 1 person
Thank you WordPress!! You guys and Gals rock!!
LikeLiked by 1 person
Nice to hear that. Thank you.
LikeLiked by 1 person
I thank you for taking the security of your users to another level. I am glad I am apart of a service who takes the time to do what was outlined above.
LikeLiked by 2 people
Thank you. I didn’t get an email, but I always worry that I should have, but it got sent to spam. I’ll check just to make sure. Nice to know you guys are vigilant.
LikeLike
The email address you’ve used to comment was not on our list of accounts with matching passwords, so we didn’t send you an email. It’s still a good opportunity and reminder to double-check your password age and security. Even if you weren’t on this list, you never know when you’ll turn up on a list somewhere.
LikeLike
Thank you.
One thing I have found is, I backed up the password program with the URL user name and password in a word doc that is named a generic name. Some sites nail the password program when it logs in for me as being a robot. With most of the sites I go to being bookmarked, it is quick and easy to copy and paste from the word doc and it gives me a backup. I save the doc from time to time. I had a nasty virus awhile back and was thankful for a 3T external hard drive backup. Also grateful that I keep 2 copies of every authorization and key for each program I buy in a special folder. If you are not backed up, you might check with Amazon. The 3 Terabyte was less than $130 shipping and everything last year. Check with other places because Amazon does not always have the lowest price. Smaller external hard drives are cheaper.
If the folder for authorizing software is in your doc files, it will be automatically backed up on a regular basis.
I had to reinstall and reauthorize every program that I use. Pain was not as bad as it would of been with out organization and copies of what I needed. Bought my first computer in 1987 and been bit several times.
Frank
LikeLiked by 3 people
Thank you for all you do which are unnoticed and while we are sleeping. Blessings on you and the team.
LikeLike
YAY WordPress.com!! Hackers – evil is as evil does.
LikeLiked by 1 person
Good proactive work.
Sent from my iPhone
>
LikeLike
And that’s why we LOVE wordpress.com !!!
LikeLike
Thanks for looking out for all of us little guys blogging our hearts out! WordPress you rock!
LikeLike
18 to 20 character password??? Is this the new prevention for Alzheimers….
LikeLiked by 1 person
We really recommend the use of password manager software, which lets you remember one strong pass phrase that will encrypt and protect strong, random passwords for your various services. It’s really convenient and helps make your online accounts much more secure across the board.
LikeLiked by 2 people
Thanks Daryl for your kind suggestion. This will be very helpful to so many of us bloggers and internet users.Could you share please which password manager softwares you have found useful. Thanks soooo much for your insights!
LikeLike
We provide a list of handy password managers in this support document. Hope that helps!
LikeLiked by 2 people
Yes very much thanks again.
LikeLike
Thank you very much. Makes me glad I choose WordPress and not something else.
LikeLike
Reblogged this on BAREFOOT TRAVELER and commented:
Gmail Password Leak Update
LikeLike
I’m just new here but still thanks so much!
LikeLike
Good heads up on your part. Thank you.
LikeLike
Thanks for everything pro-active about WordPress !
LikeLike
Reblogged this on Lwcapp.
LikeLike
Great stuff guys, thank you for looking out for us!
LikeLike
nice and useful post
LikeLike
I heard but before this security agencies were aware that Samanpurians were working through IT platform.
LikeLike
The 5 million email id that were leaked were more linked to bitcoin users and bitcoin accounts.
LikeLike
Right, but since we know that people often use the same passwords across multiple accounts, we wanted to prevent in advance any account compromises in cases of such reuse. As noted in the post, there were over 100,000 accounts in the publicly available list for which the password could have allowed anyone reading the list to log into a WordPress.com account if it occurred to them to try (and this sort of thing certainly does occur to hackers and spammers). So sure, the list started as a bitcoin user account list, but it could have been used to hurt our users, and we prevented it.
LikeLiked by 1 person
Thank you
LikeLike
A very helpful and professional approach; even though we don’t associate this account with G-Mail the general advice about passwords is relevant and timely. Well done WordPress.
LikeLike
Well done you|se.
LikeLike
Reblogged this on ©African News Digest®.
LikeLike
Reblogged this on Gamenology and commented:
WordPress is totally awesome! If you are looking for a good website provider, choose WordPress!
LikeLike
Dude that was totally awesome! Mine wasn’t affected, but your great work has saved a lot of people! Great job! 🙂
LikeLike
Good update. Thanks for the information.
LikeLike
Reblogged this on secondastella72 and commented:
Gli hackers colpiscono ancora, sono fortunatamente incappata in questa mail, la rebloggo, penso sia utile a tutti noi che utilizziamo wordpress. Io sicuramente vado a modificare la mia password!!
LikeLike
Appreciate this support!
LikeLike
Thank you for letting me know. I, however, opened a WordPress blog at one or other time but I did not carry on from there. I think I either cancelled the blog or I was trying to do so. So please let me know how I can get out of this predicament.
Trust to hear from you in this regard,
Regards,
Ester Blomerus
LikeLike
Ester, head over here to regain access to the account and reset the password.
LikeLiked by 1 person
Reblogged this on Ass.Esp. Via Boulder.
LikeLike
Had this happen with something else a few months ago. Thanks for this news. I had no idea. 🙂
LikeLike
Reblogged this on The love of God and commented:
Warning to all visitors, straight from the WP blog…
LikeLike
Hello,
I am so sorry! Your last eMails – I couldn’ t find any more! Please, can You Tell me, if my Account was hackend too?
Thank You very much! I will change my Passwort, but I had to know this, please! It’s urgent because of my profession!
Have a Good Day! Thanks!
HeideMarie R. Ehrke
Von meinem iPad gesendet
>
LikeLike
The list we checked was composed of Gmail accounts, and yours (at least the one you’re commenting with) is not a Gmail account, so it wasn’t on our list. It’s a good idea to change your password periodically and to follow best practices (linked in the post) for creating a strong password. Now would be as good a time as any to take care of that, whether or not you know your account to have been compromised.
LikeLike
Hi Daryl,
I appreciate your vigilance on our security but who would ever hack intellectual property?. I think that’s the reason I couldn’t get into my account anymore. I’ve been trying to do it several times with no avail. Please, let us do it in the end that we would be able to access our account. I did it several times to make a new post but failed.
Thank you again.
http://www.emmacachor.wordpress.com
LikeLike
Yikes, I’m sorry you’re having trouble getting back in. Head to our lost password page to try to get sorted. If that too is giving you trouble, click the “Need More Help?” link at the bottom, provide the requested info to verify your account, and we’ll try to help you regain access.
As for who would ever try to hack intellectual property, you’d be surprised how often it happens and how much work we do behind the scenes to try to prevent it. There are other nasty reasons to try to hijack blogs too. Security is important even for things for which you wouldn’t really expect it to matter at all. 🙂
LikeLiked by 1 person
Glad you are proactively handling this.
LikeLike
Your prompt action is commendable; a testimony for the care and concern you hold for members.
LikeLike
Amazing work and thank you for being so proactive it the protection of our passwords
LikeLike
Why don’t we just shut down the Russian hackers?
LikeLike
How do you know what users passwords are? Are you storing them in an accessible form? This is not good if that is the case…
LikeLike
Nope, we’re definitely not storing them in an accessible form, but since the list included passwords in plain text, we could encrypt them and compare them to the encrypted passwords in our system. It’s the same process that occurs when you submit a password yourself via a form. 🙂
LikeLike
Ok good… Just checking! Glad that you went thru the exercise to hash millions of passwords and compare against the leak
LikeLiked by 1 person
Reblogged this on ravinthranath.
LikeLike
Thank you. This is what I call real service. Everyone on the web has a social responsibility but few fulfill it. You should be applauded for your actions. Well done.
By the way, I just read this to my wife and she was really impressed with your response as well.
LikeLike
Reblogged this on Freedom Per Thought.
LikeLike
thanks for the concern..
LikeLike
thank you. I shall share this
LikeLike
Thank you for protecting us !
LikeLike
Reblogged this on Behind Silence and Solitude and commented:
Well, good job WordPress.com
LikeLike
Reblogged this on samsterwasi.
LikeLike
Thank you for your speedy action! Some of us wouldn’t have known this in time to safeguard our accounts at WordPress.
One of the best things anyone can do in a situation like this is immediately change the password of the gmail address associated with one’s WordPress account, whether or not one’s email is included in the list of 5 million hacked gmail accounts, among other things besides of course.
LikeLike
Nice update
LikeLike
Please keep us posted on this. Thanks.
LikeLike
Did the hacked list include Google Apps accounts?
b
LikeLike
Nope.
LikeLike
Thanks guys for taking care of us!
LikeLike
Reblogged this on Honey Silvas and commented:
It’s time to change passwords… again! Have a password changing party!
LikeLike
Reblogged this on if all else fails…use a hammer and commented:
In case any of you missed this, now might be a good time to update your WordPress and Gmail passwords (and Facebook, and Twitter, and Instagram, and Amazon…I should make a list of all my online accounts, methinks.)
LikeLike
Thanks for your diligence.
LikeLike
Even though my password wasn’t in your list, I just wanted to thank you for doing the right thing!
LikeLike
Reblogged this on EMPOWERED RESULTS and commented:
This is why I love using WordPress… 🙂
LikeLike
Reblogged this on impressions and commented:
In general, it’s very important that passwords be unique for each ACCOUNT. Using the same password on different web sites increases the risk of an ACCOUNT being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.
LikeLike
Thank you for the support
LikeLike
This is awesome and I re-blog…Thank you!
LikeLike
Great job – this kind of thing keeps us blogging with WP.
LikeLike
I would strongly recommend using the app Password Safe. I use it all the time and if you are interested then there is a post about it in my blog.
LikeLike
Now this is how all sites that login with Google should react!! Thanks, WordPress!!
LikeLike
Reblogged this on TruthDirect and commented:
Something important that should be read!
LikeLike
Having bought my first computer in 1987, I have had some disasters over the years. What I found out is, 3,4, 5 or more years go by without a real problem with your files and programs, you get really careless about backing up.
That is why I like an external hard drive backup. For less than $130 I bought an 3 Terabyte backup hard drive. When I purchase a new program I automatically put all the necessary information in a doc file and save it to a folder just for that purpose. When I change a password or create a new account I use a password program to generate a 18 to 20 character password. I then save the login information, the URL, user name and password in a document for backup and to use on some sites.
Because all the information to reinstall, reauthorize a program and all my login information are in doc files, the external hard drive automatically keeps them backed up.
Being human I am prone to get careless when enough time passes without any major problems.
I found the best way to get around that is have a system that does it automatically for you.
What causes the greatest problems for us is, month after month, maybe several years go by nothing serious happens, things go pretty good. We get complacent. Really careless and then BOOM we get bit.
Amazing what you learn from the pain inflicted by the problem.
Frank
LikeLike
Reblogged this on ✯ Jordan135 Gaming ✯.
LikeLike
Reblogged this on Babyzeuch und Schweinskotelett.
LikeLike
Reblogged this on cocosangel and commented:
For my friends who may have gmail accounts… please check this site.
LikeLike
Reblogged this on feddy92.
LikeLike
Reblogged this on Feigned Affections and commented:
No offense to the WordPress team. I am sick of all these password leaks. This mostly to remind myself to change my password.
LikeLike
Thank you for caring about us.
LikeLike
Thanks so much! Question: is it possible to get 2 step authentication if one lives in a country that is not the U.S.? I live in Israel most of the time.
LikeLike
Yes, we support 2-step authentication in many countries, and Israel is among them. Go ahead and give it a try! If you run into a problem with the SMS, you may have better luck with an authenticator app.
LikeLike
I do have Authy. Does that do the two-step, too?
LikeLike
Authy does two-step, but I don’t know that it works with wordpress.com. I suspect not. I’ve always used Google’s Authenticator app or SMS messages (handy for when you’re switching phones).
LikeLike
I’ll have to try the SMS method because my Israeli phone is an iPhone and naturally can’t get Google apps unless things have recently changed. Thanks for your great information! Really appreciate it 🙂
LikeLike
If I remember correctly, there is an iPhone version of the app as well. At any rate, I used an authenticator on my iPhone before I switched to Android recently. So don’t lose heart! 🙂
LikeLike
thank you
LikeLike
thanks sir for this warning and advice 😀
LikeLike
Reblogged this on Niraj Sapkota.
LikeLike
Reblogged this on Lets talk Mafia Wars.
LikeLike
Reblogged this on The Online Sales Wire and commented:
This is good to know in case you missed.
LikeLike
Thanks for the info.
LikeLike
Reblogged this on recovery_channel™.
LikeLike
Reblogged this on To write is to write is to write and commented:
In case you missed it . . .
LikeLike
Wow.. Privacy has lost it’s meaning!
LikeLike
Thank you for taking the quickest countermeasures to protect bloggers. I have the two-step authentication security feature so I strongly recommend it for others for better password protection.
LikeLike
I’ve never read yourgmail hackers, but, seriously, thanks for writing this article , I do have Authy
LikeLike
Reblogged this on Ordinary Leader and commented:
I cannot emphasize enough to all of you how critical it is to maintain strong passwords and unique password for every site. I appreciate WordPress two-step verification process with an Authenticator app. This is essential to protect you personally, your career, your intellectual assets as well as financial assets.
LikeLike
This is so nice, Daryl. On a completely unrelated note, I miss reading your writing tips. Need to head to your blog!
LikeLike
Oh, that’s so sweet. Brightened my evening. 🙂 Thanks!
LikeLike
For those who are already using Password Managers, which one is the best among those in the list? How about you, Daryl? Which do you use? (Preferably free because I’m poor.)
LikeLike
I’ve only ever used “1 Password” and so can’t speak to the quality of the others, sadly. It has served me well but is not free. Any of the ones on the list at the “strong passwords” link in the post would be worth looking into.
LikeLike
If you want to check if your Google account, which is the gateway to your Gmail, Plus, Drive, Hangout, YouTube accounts as well, has been compromised, then simply click this link and provide your Gmail ID. https://isleaked.com
LikeLike
Thank you once again
LikeLiked by 1 person
I want to check the list of email addresses to make sure my email address is included in the list or not. Where can I find the list?
LikeLiked by 1 person
There are sites you can enter your email address into to check, but I’d be wary of providing my address. The address associated with your comment is not on the list. 🙂
LikeLiked by 1 person