Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
WordPress.com News 
Thanks, this is one of the reasons why I like it here at WordPress. I am new and still learning, but know they are on top of everything.
Thank you for the clear, honest, and open message. Good to see you very transparent, that’s why I love WordPress.
In a world full of not-so-nice organizations, you guys are a comfort to my soul. You are what everybody should be like — honest, transparent, capable, quick to act, everything an organization should be. Bless you!
I really appreciate the honesty and transparency on this guys. Thanks. Maybe you should have a conference with some other websites on how to maintain a mutual relationship with constituency and make every situation a win-win.
Best of luck. 🙂
Thanks for the heads up!
Thanks for the heads up! I really appreciate all you guys have done! Keep up the good work!
Thanks. Random passwords are a nuissance, impossible for me to memorize, but it’s the only way to go.
Just yesterday, I was explaining to my teenage stepson, the significance of claiming responsibility for mistakes in business and life. I don’t have much to be revealed w/ respect to my blog info. However, I appreciate greatly your candid accountability in the face of such a break in. It seems security incidents are more and more a part of living in a modern virtual world. Tighten your suspenders, pull up your bootstraps and keep up the good and honest work.
Thanks for the honesty. It’s never easy sharing info like that.
I still love WordPress.
Your integrity is much appreciated!
Thanks for keeping us informed, I’m sure you are all doing your best, I still love ya 🙂
Best of luck on your progress, Go Team!
Thanks for keeping us posted. These things seem to be happening more and more these days…
What kind of hacker would attack an open source matter!
Thanks to you guys for letting us know about this bad news.
Thank you, Matt. As the saying goes, everyone gets cracked sometime. It is how you respond to it that makes the difference.
Thanks for being honest with us… Will remember WordPress and Automattic in our prayers. Wish you all the best.
Thanks, love. Even the biggest Security Protection company had their own hacking not too long ago. Quite the scandal from what was exposed!
Thank you for alerting. Hope your efforts to protect us is successful
Good jobs guys. Its obvious you are on top of the game. Keep it up.
Hello! I am new to WordPress, but am already impressed with your integrity and honesty. It’s hard to find that today in big business. Thanks
Thanks for the update – are the passwords for user login stored encrypted ? (I guess so – normal practice)
Yes, passwords are hashed and salted
Things like this happen, it’s good that your policy is NOT to hide such thing’s.
Thanks for the info!
Excellent communication.
Thanks for the suggestions. I signed up for LastPass and it’s just what I needed!
Thanks for the info! I haven’t been on this site for quite a while, been busy on other sites. Will try to be more aware on this subject and remember to change my password from time to time. You have a good mix of blogs on here 🙂
Thanks guys: You’re still the best!!
Thanks for the update. If someone stole my password, I hope they do a great guest post!
Appreciate it.
~Mike
While the transparency was good, if all of these commenters are that naive to think Anonymous or The Daily Beast, Gawker, Politico, Grit or The Nation wouldn’t have scooped you had you not informed users along with other litigious actions would have forced you to after the fact I’d certainly I’d certainly love to live in their world. Again thanks for your work. Sorry to be snarky but Geez Louise people wake up.
Thanks for letting us know. Unscrupulous people ought to be flogged! But until people learn to have ethics, this kind of thing will always be happening. Like so many others, I appreciate knowing about the breach. Keep up the good work.
Thank you for the message, and the information. I haven’t been on WordPress a long time, so it’s great to know that WordPress keeps you posted on what’s going on. Will do. Thanks again.
Thanks for sorting this out and keeping us up to date and for allowing us to have blogs for free.
good to know you’re doing what you can to fix it..
Nice hint for passwords. Use a sentence with a number in it. For example: thereare24hoursinaday. That will make it crazy difficult for someone to hack your password because rather than one memorable word and a number as most people use this is a series of words and numbers.
It would be nice if it was easier to remember passwords. Everything seems to need passwords. I think the future may
have us using fingerprint readers eye scanners or facial recognition or even voice to accompany the passwords.
thanks for nothing. out of all places, i figured a blog would be more secure than that. way to jeopardize our personal information with your incompetence. by saying orwellian things like ‘low-level break-in’ you further demean the users of this blog service. but hey, thanks for letting us know after the fact. really.
Thanks for the notice! I am new to blogging but I can say it is nice to see you are up front and on it from the outset!
MSgt Phil
Thanks for keeping us posted….Conrad Vincent
Thanks, Matt, for the headsup and what you folks are doing. Thanks for the suggestions.
Good reminder !! Security first.
WordPress deserves a kick in the teeth for letting this happen but a pat on the back for being open about the situation… So I shall issue you with a slap on the wrist.
Matt,
What is the latest on this?
We don’t have anything new to release. We’ll keep you posted as we know more.
Its a great pleasure reading your post. Its full of information I am looking for and I love to post a comment that “The content of your post is awesome”
Great work.
WordPress keeps freedom of thought and expression alive. Thanks guys for all the things you’ve done!
Thanks for being upfront with users. This type of transparency augurs well for the future. I feel more comfortable about the whole thing already… And good luck with bringing a resolution to all this…
Wow! What a classy organization! I’m proud to have chosen wordpress.com for all my eternal writing requirements. Is there any definitive update? Thanks for the honorable business practices!
Much appreciated! Thanks!
Thanks for being upfront and honest!! Think I could speak for everyone…you guys are awesome!!!
Thank you for the alert. this makes me more aware, and gives me the chance to do things right. keep up the good work!
Thanks for keeping us up on what’s happening and your suggestions for safe blogging!
Barbarah
Thanks for your suggestions.
Hey Matt – I don’t envy you, having to take care of this kind of icky stuff. You probably got a wakeup call at 3 am, too, right? I was a database administrator for 15 years and have walked in your shoes! Thanks for dealing with the hackers on our behalf.