Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
WordPress.com News 
Thanks for the update team. Crap happens, but you’re always keeping us up to date. Much appreciated. Hopefully no one was exposed too badly.
Thank you for being transparent!
Thanks for the info. All the best!
Thanks for all your hard work, guys!
Thank you sir. 🙂
Thanks for keeping us in the loop.
Thank you for your prompt and honest post.
Yikes… Glad you guys are up front about it though. Much appreciated.
Thanks for keeping us informed, much appreciated!! Such a shame that some people feel it necessary to break into a site as great as WP.com. 😦
Thanks for being on this problem as quickly, WP IT team!
My advice is to change your password once in a while. In school we do this to prevent security issues.
Honesty and transparency are rare. Thank you for being upfront and so quick to let us know!
Thanks for the info. 🙂
Honesty is the best policy.
This is what I find so great about WordPress.com. It takes a lot of guts to admit a fault which may have otherwise been overlooked by the community. Thanks for the honesty and transparency.
Thank you, your advise is heeded.
My condolences.
Were you storing passwords in plain-text or hashed?!
WordPress passwords are hashed and salted using phpass.
Thank you for letting us know! Sorry it happened. Stupid hackers!
Thanks for telling us!
So should we be concerned about our password being taken? This post alludes to that but doesn’t confirm.
We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.
Thanks WordPress.com. These things happen when you are the coolest kid on the block.
Will roll out a new password sooner than the normal 30 days to be safe(r).
Cheers, Stephen
Hopefully nothing too sensitive was breached. Thanks for keep us in the loop.
It’s great that you have told us as soon as you knew. It makes it far easier to trust you.
Security breaches are a fact of life in todays world. Honesty is the best policy for those that you serve. Eternal vigilance is the price of freedom.
Those things that don’t kill us make us stronger… I guess that’s enough proverbs for the day. Thanks for informing us.
Thanks for watching out for us. 🙂
Thanks for informing us, Matt. 😀
I trust you folks and your wonderful product. Knowing that you will stay on task and keep me informed, I find no reason to be seriously concerned.
The fact that you informed us really makes you trustworthy, thank you very much.
Thanks for your hard work in keeping this site secure! Passwords should be complex, long, and changed every so often!
Thanks for notifying us.
Thanks for keeping us informed!
Gyuh. Thanks for the heads up.
So can you elaborate on what services were affected and whether any user data was likely to have been exposed? Are you reiterating those security fundamentals because users have some reason to be concerned, or just because?
This potentially affects several of Automattic’s services. Based on the information we have we don’t think user information was accessed, but it’s certainly possible, and so wanted to remind people of security best practices.
Another thank you for the info. I haven’t really my changed password for a long while anyway, so I changed today. Can’t hurt. 🙂
I really appreciate your letting us know, Matt and WP.
What a thing for a brand new user (as of last evening) to hear. Not very promising, but at least the whistle blew. Good for you!
Wow, it’s been nothing but bad news from you guys lately. I’m disappointed that these attacks continually get the better of you.
I’m not sure what drugs the rest of the commenters are on (or perhaps you just screen comments so only the perkiest, most upbeat get published, in which case, I worry about you guys even more) but I am distressed by the continual service interruptions and security breaches.
I’m sorry, you should expect better from us and we’re trying our best to live up to those expectations.
Thanks for letting us know!
Thank you for the warning, it’s greatly appreciated!
I appreciate the heads up.
Thank you for the 411. I know that your organization does everything it can to ensure that this won’t happen again. The world is full of individuals whose skills and knowledge in this area pose a constant challenge for you.
I feel safe with WordPress.com, and I couldn’t be happier with the service.
omgtheyhackzurserverzweizgunnadieztakecover!
Eh at this point, I expect all of my data to be all over the internet. Not even government networks are safe anymore. I say if you put your data on any site, expect that it will probably at one time or another get stolen. I don’t blame WordPress at all, mind you. I am sure they did everything they could to avoid such an occurrence, but things happen. At least they let us know about it.
:@ tough break! I guess I’ll have to change my password. 8)
Thanks for informing us. It shows that WordPress.com is very interesting.
Thanks for the heads up. Keep the communication open, honest and timely, and you’ll stand head and shoulders above the rest of the recent victims. Good to know that my password is hashed and salted [?!], but this is a useful prompt to change it anyway.
Thank you for the info!!!
Appreciate the timely information, and your transparency.
I appreciate your honesty in revealing this breach.
Thanks for letting us know. We trust WordPress.
The timely and honest update, as well as the security suggestions are much appreciated.
Thanks for the information and good luck in your investigation. What a strange world we’re in. Keep up the good work!
Glad there is someone willing to do the hard work at WordPress, so I can do easy stuff like blogging.
Thanks for being open, I appreciate it. Gives a new meaning to kicking the bucket 🙂
Thanks for the heads up, Matt. It’s only natural that when you’re Number One, everyone will be gunning for you. Consider it a compliment. 🙂
Thanks for the heads-up. Who knows what the hackers were looking for.
Thanks a lot for the Honesty and fast Notification. Just great Behavior!
Wow! Thanks for letting us all know. Don’t those hackers have better things to do.
Thank you for always being on top of everything! For the record, I’ve gotten about six different spam emails in the last half hour. I wonder if it’s related, since usually my email system doesn’t let any spam get past the spam filter.
It is highly unlikely it’s related, but we will keep an eye out for other users reporting anything similar.
Thanks for telling us. 🙂
Hey Matt, great job on updating us all. Don’t you dare feel guilty if problems occur. You guys are terrific, as is this site.
That sucks. Thanks for the advice.
By ” potentially anything on those servers could have been revealed” do you mean that our credit cards numbers and other non public infos like personal phone and such may be available on the black market ?
We have no reason to believe any personal info like phone numbers were revealed, and definitely not anything like credit card numbers.
Thanx for sharing. My sites seem perfectly fine.
Thank you for being up front with us by communicating and protecting us and WordPress. I hope the forensic study leads you to the party who conducted this action.
❤ you WP team of fabsters!
Security is all of our responsibility, thank you for the heads up as well as the untarnished presentation.
All my WordPress installs are on private domains not wordpress.com — is this breach only of concern to users on the wordpress.com servers?
Correct.
Thanks for being upfront and sharing the info right away. Your hard work is appreciated!
Kudos for being so open about the incident. Many other websites would just deny that any data may have been revealed to make it sound like they are 100% secure when they really aren’t.
Thanks a lot for letting us know about this. It must have been hard to say! My dad was in IT security, and he was on me all the time for passwords, etc, since security is hard to keep these days.
Thanks for the alert. I wonder what the hackers stand to gain from whatever they ‘got’.
Cheers.
It is too early to say — it appears that the activity was largely exploratory, not targeted at a specific area, but we are still investigating.
Matt, thanks to you and everyone at WordPress for creating and maintaining such an excellent site that is always getting better.
Thank you for letting us know! It is appreciated.
Thank you so much for being open and honest about the problem at hand. Continue the excellent work!
Thanks for letting us know, Matt. When we change our passwords, will we then have to reauthorize publicize services like twitter, etc.?
Nope, those connections should be maintained.
Good thing I have nothing worth stealing. 🙂 Thanks for saying what you did not have to say!
Thanks for the update, the disclosure, and your honesty. I appreciate that!
Thanks for the information!
Thanks.
Thank you. A lot of companies won’t tell you when they have a problem like this. It’s nice to know you are honest and clear.
Thanks for the information and your dedication to clearing this up.
Too many security incidents around the web. I am already using different passwords, but there is still a lot of uncertainty. Stupid stuff. 😦
Thanks for the update!
Thank you for the update.
Thank you for conveying the tough news.
I really appreciate you telling us about this. I actually feel more secure when companies I do business with, let me know that there’s a problem and that they’re working to hopefully prevent this in the future as well as protect my information. Why can’t we all admit a mistake or potentially damaging problem or issue??
What I don’t like is when people sweep things under the rug as if nothing happened… “Let’s not say anything and maybe no one will find out.” It’s very important for a company to tell me when there’s a problem, because now I’m equipped to do what I need to do, on my end!
Thanks again and Kudos!
Thanks for the update, Matt. Tough as it is, you guys always shine in letting everyone know – and transparency means trust – so kudos to you.
One question though: is VaultPress hosted on the compromised servers, and if so are there any implications for sites using its plugin? My question relates to the access details and APIs used by VaultPress to access the blogs it backs up. If any of these were exposed by the hack, then presumably we’ll need to change them.
Thanks for your honesty, and for your suggestions.
Thanks for the announcement. Remember you have to beef up security, seeing as you host some very important VIP blogs and newspapers on your servers. Best of luck.
You guys are awesome!! I really appreciate you spilling the beans so quickly. Gob Bless your efforts and hoping you can find the people who did this.
Have you been able consider any motivation, or particulars to any sites, political or otherwise?
Thanks
Nothing to say at this time.
Appreciate the update!
It’s quite strange to read “Security incident” near you’re big smile on your gravatar. Thank’s for the clear message.