It seems to be the season for huge breaches in security right now. First we had the Epsilon email lists hack, which is why you’ve been getting “Sorry we lost your data” e-mails from Target, Citibank, etc., and now some nefarious types have broken into WordPress.com’s servers and stolen a whole raft of sensitive data on their users.
In a statement on the company blog a WordPress spokesman said:
“Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.”
While most of the WordPress code is open source, their servers nonetheless contain API keys, proprietary code from their users, as well as usernames and passwords – all of which was potentially swiped by the hackers who gained entry. The attack will affect both casual users and the WordPress-hosted “VIP” blogs (high-traffic sites who pay WordPress to host and look after the nuts and bolts).
WordPress’ ubiquity has seen it become an increasingly popular target for attacks, suffering a series of malicious attacks in 2009, and earlier this year suffering from the biggest DDoS it had ever experienced. Eighteen million blogs are hosted by WordPress themselves, and estimates of the software’s true reach extend as high as a full ten percent of the Internet.
Automattic, the company behind WordPress, say they are reviewing logs and conducting a full investigation to find out how this breach occurred, and to prevent it from happening again. In the meantime they suggest anyone with a WordPress-hosted blog change their passwords.
