This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users.
We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password. We also sent email notification of the password reset containing instructions for regaining access to the account. Users who received the email were instructed to follow these steps:
- Go to WordPress.com.
- Click the “Login” button on the homepage.
- Click on the link “Lost your password?”
- Enter your WordPress.com username.
- Click the “Get New Password” button.
In general, it’s very important that passwords be unique for each account. Using the same password on different web sites increases the risk of an account being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.
It’s also a good idea to enhance account security by enabling two-step authentication on services that support the feature. Two-step authentication can be set up on WordPress.com by following these steps:
- Browse to WordPress.com.
- Hover over the user avatar at the top right of the screen.
- Click “Settings.”
- Click “Security” from the submenu.
- Follow the instructions provided there.
We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.
WordPress.com News 
Thanks but this may not solve the problem. The hackers may get to your gmail (they had the password anyway) to frustrate this efforts. I hope those affect by this hacking can recover their accounts.
That is what I called Customer Service and For the Love of the Customer! Thank you for being so considerate. You Rock!
Reblogged this on ohiogirl93066 and commented:
This upsets me because it feels to me that our privacy is being violated yet again and people don’t give a damn! When they hack they aren’t thinking about the chaos that causes!
It is good to get reminders about passwords etc. However hacking passwords is an ongoing issue across the board.
There is not any “security” submenu in my dashboard.
What should I do?
The security item isn’t in the old-style dashboard; it’s in the settings available from the wordpress.com home page. Try going there, then hovering over the avatar at top right, then look for Settings.
Thank you so much!
It may be a coincidence, but yesterday, Sunday, September 14, I logged into WordPress and discovered one of my posts had vanished. The post itself is not a big deal. It was a first draft of a scene from a screenplay in progress that has since been rewritten. I left it in order to have confirmation of the posting date. For something to vanish, it must have been moved somewhere or been deleted, and not by me.
I do see that a post was deleted about 3 months ago, and posts moved to the trash are auto-purged after a while. Perhaps that was the issue?
Very awesome that WordPress was so diligent!
How could you compare passwords ? Are they not hashed ?
The passwords in the list were in plain text. We compared them to our hashed values in the same way that we do when you try to log in — by hashing the plain text password before comparing. If the hashed password from the list matches the hashed password we’ve stored, then the passwords overlapped.
I have full identity restoration so I’m covered
Reblogged this on dmcrim and commented:
Another example of hackers! Glad to know word press is taking appropriate precautions! Great website 🙂
very professional and its not Google thanks
Good job. WordPress gets a bum rap sometimes for security that I don’t think it deserves. Keep updating everyone is my advice. Customers like updates.
Though mine wasn’t one of the passwords hacked, I’m thankful that you responded so quickly. I’m also thankful for LastPass, password vault and generator.
Thank you so much for taking care of us! I will follow up on what you recommend below.
Daryl- I just received an email about downloading a new WordPress 4 called “Benny” from Matt Mullenweg that looks like a scram. Is there a new WordPress to download? Thanks- Linda
Linda Kennett
“The people who know their God will display strength and take action.” Daniel 11:32b NASB
Date: Sat, 13 Sep 2014 01:47:46 +0000 To: lenarae@outlook.com
Linda, such an email may have gone out (I’m not sure). There is a new WordPress 4 version named “Benny.” If you’re using wordpress.com, it won’t likely be relevant to you, as it’s the version that you install on your own server. You should always be wary of what links you click in an email. If you’d like to download WordPress 4.0, just head over to wordpress.org and get the download from there, or if you happen to have a WordPress install already, you should be able to update right from your dashboard. Again, though, if you’re on wordpress.com, you’re already taken care of.
Thank you, WordPress! Incredibly helpful!
thanks so much for your diligence… 🙂 it’s appreciated… have a fabulous day…
Daryl, Thanks for the information. It’s probably nothing to get worked up over.
Thanks for the info..
Thanks for taking care of this.