Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
WordPress.com News 
Thank you for the heads up!
The transparency and the guts to speak the the truth is the strength of WordPress. Kudos to you, you spoke the truth. Thanks for the advice on changing and keeping complex password.
Thanks… Were personal info, especially email addresses, touched by this?
It is possible email addresses were downloaded, but we don’t think so.
Thanks! Your team is much more on the ball than the e-retailer that didn’t bother to tell me their site was compromised until I complained about being spammed by their “secure” site.
Wow, this is good to know. Thanks!!!
Thanks for letting us know and keeping us up to date. 😀
Thanks for the suggestions, they’re really helpful!
Oh damn, I thought ‘security incident’ was a new theme and it sounded cool 😛
You guys do a great job, thanks for all your hard work.
dang. that’s rough. we’re glad to know about this incident.
thanks for updates
Guys, Thank You so much for the heads up. Even the best fall like the recent Epsilon breach. According to some reports Epsilon knew about a vulnerability on their side but they didn’t warn their users before like you did. I’m sure you will do in all your power to protect our data. I have a question though; I don’t understand when you said “Use different passwords for different sites”.
That means that for every website you should have a different password, for example don’t use the same password for WordPress.com and Twitter.com.
Do you know whether any code was changed? Could the person/people who broke in have modified the code to send an email back to them any time someone changes their password?
They could have, but we checked all the code that’s running and it’s all ours.
Thank you for informing, advising and helping us understand. This is unfortunate, but it seems like the way of the world.
Thank you for letting us know.
Sadly, some folks haven’t figured out the way karma works, but will. Thanks for the update. I really appreciate your frankness and hope this is all resolved soon. Take good care, all of you!
Not good news, but great that you’re being upfront about it – appreciate the info.
Thanks! I will change my password right away!
Thank you for the info Matt, much appreciated!
Thank you for sharing.
Thank you for keeping us informed and for responding to people’s concerns quickly. Yay WordPress!
Thanks for sharing such an incident to the users (which most organizations would hide).
thank you so much.. all our blogs mean so much more to us and u just made us care for them all the more matt.. will be more cautious now =P
Thanks for the update – You’ve turned a negative into a positive by thinking to share some really good advice about using different passwords and how to manage them effectively. I use KeePass and will have a look at the others you mentioned for other clients. The other one to emphasise is the importance of backup and recovery procedures, that way if you loose everything you can at least get it back (or do a compare to help work out what may have been changed)
Fight the good fight! Thanks for keeping us informed.
Thanks for being clear on this.
it’s great that WordPress is so personal and always keeps us informed 🙂 thank you!
Thanks for letting us know – luckily I was thinking about changing my set of passwords anyway.
I love WP, and try to talk my Blogger friends into making the big switch. Hey, junk happens. Thank for giving us the heads up on the situation! Appreciate it!
Your transparency is very much appreciated. Will heed your advice now.
We do appreciate, please update us for any new security incidents.
In my bad english I’d like to say ‘thank yoiu’ for your honesty and transparency, which I didn’t find in any other platform.
Information dissemination is important. Thanks a lot and regards.
Thanks for letting your customers know :). K
Thanks for all you do! I love having this great free service for sharing thoughts and keeping track of friends. Your team does a great job, and I appreciate it!!
Thanks for the heads up. “)
Better we know than we don’t. New passwords are easy, so… done!
Living on the web is like living in the city… lock the doors, look both ways before crossing and wash your hands!
Thanks for the update!
Thanks for the update! Sending hope you repair things soon. 🙂
Thanks for letting us to make stronger passwords.
Many thanks, I really appreciate your work and this frank attitude! Good luck, Matt!
Thank you, WordPress, for your generous hosting of our blogs! And a big “Thank you” to the wizards, WordPress’ Happiness Engineers!
Thanks for letting us know. Y’all work so hard on making WP a secure and safe place for all of us to blog and share with the world, all of your work is very appreciated by us members/bloggers. I do hope y’all catch the person/group who did this.
Maybe it’s best that all of us change our passwords just in case? I know I’m going to be changing mine to be safe!!
Thank you for the update yes it is a tough one to announce however I have more respect for the fact that you were honest and told all of us rather than trying to cover it up like some other sites do and would.
Very much appreciate the update. Good luck–we’ve got confidence in you.
Insecurity is my normal state 🙂
Thanks for your honesty, good work.
Keep up the good work, guys….
Thank you for the quick and honest info!
It’s much appreciated.
How indicative all these comments are on the kind of service WP gives, i.e., the best. As an appreciative user, I rather resent the implication that I am on some sort of drugs because I applaud WP’s (and Matt’s) honesty and attempts at great service (as one commenter suggested above). “If you live by the sword, you die by the sword.” We users of the internet know that these things happen and that determined hackers are stopped only with intense effort. Now, here’s my contribution:
I have so many internet accounts to various websites that, if I change my passwords, I am doomed.
However, I use something that was recommended by my bank. It’s called Trusteer and not only protects my password, but protects any website I ask it to, including, of course, my online banking sites (and, now, WordPress). Once you install it, it is very easy to use. You can set it for weekly reports as well. I was appalled at how many various invasion attempts it is stopping, but very glad it was stopping them.
Thank you so much for being so transparent.
Appreciate the transparency! We love companies with this kind of behaviour. Nobody is fully protected from incidents like that.
Thank you WP team.
Thank you. This motivated me to get LastPass.
Creepy…Thanks for the head up!
Thank you! Good to know you have our backs!!
Keep up the honesty and integrity, that’s what makes you guys #1 Thanks!
What is with these fraudsters?! I found out someone or ‘something’ has been using my bank account as well today!! Ah well, at least we have honest people like you WordPress guys! Good luck in your investigations! Poppy 🙂
Must say I was somewhat alarmed at seeing this title, but thanks goodness your team’s controlling it. This situation is becoming a contagious disease whew!!
Thanks for keeping us up-to-date especially with this kind of issue. Highly appreciated!
Thank you so much for the info. I have to admit I’m new here and I know now what to do for my security. again thank you. XD
Your honesty and openness are awesome… Hopefully no one has stolen my identity… Geoff
Honesty is always the best policy. Thanks!
Thanks for being honest and keeping us in the loop. 🙂
Thanks for all your hard work, guys!
Thanks for the update. Appreciate it.
This kind of policy – to be transparent – is exactly what will grow your success. Thank you so much.
We love you all for all that you do to keep us safe. Have a great day squaring things away.
Appreciate the honest update!
Thanks for that…suppose incidents like that go with the territory, no matter how secure we’re trying to make this. Awesome advice on passwords!
Thanks for the update. Good to hear that you are so open on these issues. Indeed, stuff happens. But it is not about the way that you fall, but about the way you get up your feet again. 🙂 And you are doing just fine.
Thanks so much! Sincerely appreciate it!
Thanks for the notice and for working to figure things out!
Appreciate the heads up guys, thanks! –Meg
As usual, WordPress at its best. Thank you for the info.
Roger, over and out.
The WordPress Family: the Best Thing About the Internet.
Thanks for the update.
See, this is what I respect about WordPress and other people who work similarly. You admit it when things happen, and there’s no covering-up or blaming. Just telling us what’s happened nice and clearly, and giving advice on what to do. Thanks 🙂
Aw sorry to hear and thanks for letting us know, I appreciate your open communication.
I hope they’re caught! Good luck.
I read of the security breach
And the lessons in the life it would teach
I won’t worry my head
Or give into the dread,
I’m going down to the beach.
As others have said, appreciate the honesty. Being upfront about security breaches endears your users more to WordPress and also motivates you guys to excel in keeping security higher so you don’t have to give us bad news.
God bless and keep up the good work!!!
Thank you for being open, honest, very much appreciated.
Your competitors could learn a thing or two about customer service from you. Stuff happens, but be honest about it and consider your customers as assets instead of numbers on a spreadsheet. You guys rock!
Thanks for the tips!
Thanks for the honesty. Standing behind you and your efforts. Keep the faith.
Thanks for all your hard work, guys!
I still use you as my media. Thanks for your honesty.
Thank you for being transparent. Yeah, so crap happens, but at least you notify us and considering how many people use WordPress and how I have no idea how you get all the work done, I seriously don’t care. So what? Then we’re going to change our passwords. 🙂
Still in love with WordPress.
Everyone’s so nice on WordPress!
Kudos for the heads-up.
Thanks, I really appreciate it.
Thanks for the update. I appreciate it.