Security Incident
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
Apr 13th at 4:49 pm
Thanks for the update team. Crap happens, but you’re always keeping us up to date. Much appreciated. Hopefully no one was exposed too badly.
Apr 13th at 4:52 pm
Thank you for being transparent!
Apr 13th at 4:52 pm
Thanks for the info. All the best!
Apr 13th at 4:54 pm
Thanks for all your hard work, guys!
Apr 13th at 4:56 pm
Thank you sir.
Apr 13th at 4:56 pm
Thanks for keeping us in the loop.
Apr 13th at 4:58 pm
Thank you for your prompt and honest post.
Apr 13th at 5:00 pm
Yikes… Glad you guys are up front about it though. Much appreciated.
Apr 13th at 5:00 pm
Thanks for keeping us informed, much appreciated!! Such a shame that some people feel it necessary to break into a site as great as WP.com.
Apr 13th at 5:09 pm
Thanks for being on this problem as quickly, WP IT team!
Apr 13th at 5:13 pm
My advice is to change your password once in a while. In school we do this to prevent security issues.
Apr 13th at 5:13 pm
Honesty and transparency are rare. Thank you for being upfront and so quick to let us know!
Apr 13th at 5:14 pm
Thanks for the info.
Apr 13th at 5:14 pm
Honesty is the best policy.
Apr 13th at 5:15 pm
This is what I find so great about WordPress.com. It takes a lot of guts to admit a fault which may have otherwise been overlooked by the community. Thanks for the honesty and transparency.
Apr 13th at 5:17 pm
Thank you, your advise is heeded.
Apr 13th at 5:18 pm
My condolences.
Were you storing passwords in plain-text or hashed?!
Apr 13th at 5:27 pm
WordPress passwords are hashed and salted using phpass.
Apr 13th at 5:18 pm
Thank you for letting us know! Sorry it happened. Stupid hackers!
Apr 13th at 5:19 pm
Thanks for telling us!
Apr 13th at 5:20 pm
So should we be concerned about our password being taken? This post alludes to that but doesn’t confirm.
Apr 13th at 5:29 pm
We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.
Apr 13th at 5:20 pm
Thanks WordPress.com. These things happen when you are the coolest kid on the block.
Will roll out a new password sooner than the normal 30 days to be safe(r).
Cheers, Stephen
Apr 13th at 5:22 pm
Hopefully nothing too sensitive was breached. Thanks for keep us in the loop.
Apr 13th at 5:22 pm
It’s great that you have told us as soon as you knew. It makes it far easier to trust you.
Apr 13th at 5:25 pm
Security breaches are a fact of life in todays world. Honesty is the best policy for those that you serve. Eternal vigilance is the price of freedom.
Those things that don’t kill us make us stronger… I guess that’s enough proverbs for the day. Thanks for informing us.
Apr 13th at 5:26 pm
Thanks for watching out for us.
Apr 13th at 5:26 pm
Thanks for informing us, Matt.
Apr 13th at 5:30 pm
I trust you folks and your wonderful product. Knowing that you will stay on task and keep me informed, I find no reason to be seriously concerned.
Apr 13th at 5:31 pm
The fact that you informed us really makes you trustworthy, thank you very much.
Apr 13th at 5:31 pm
Thanks for your hard work in keeping this site secure! Passwords should be complex, long, and changed every so often!
Apr 13th at 5:32 pm
Thanks for notifying us.
Apr 13th at 5:33 pm
Thanks for keeping us informed!
Apr 13th at 5:35 pm
Gyuh. Thanks for the heads up.
Apr 13th at 5:41 pm
So can you elaborate on what services were affected and whether any user data was likely to have been exposed? Are you reiterating those security fundamentals because users have some reason to be concerned, or just because?
Apr 14th at 3:26 pm
This potentially affects several of Automattic’s services. Based on the information we have we don’t think user information was accessed, but it’s certainly possible, and so wanted to remind people of security best practices.
Apr 13th at 5:44 pm
Another thank you for the info. I haven’t really my changed password for a long while anyway, so I changed today. Can’t hurt.
Apr 13th at 5:44 pm
I really appreciate your letting us know, Matt and WP.
Apr 13th at 5:50 pm
What a thing for a brand new user (as of last evening) to hear. Not very promising, but at least the whistle blew. Good for you!
Apr 13th at 5:52 pm
Wow, it’s been nothing but bad news from you guys lately. I’m disappointed that these attacks continually get the better of you.
I’m not sure what drugs the rest of the commenters are on (or perhaps you just screen comments so only the perkiest, most upbeat get published, in which case, I worry about you guys even more) but I am distressed by the continual service interruptions and security breaches.
Apr 13th at 6:18 pm
I’m sorry, you should expect better from us and we’re trying our best to live up to those expectations.
Apr 13th at 5:57 pm
Thanks for letting us know!
Apr 13th at 6:00 pm
Thank you for the warning, it’s greatly appreciated!
Apr 13th at 6:05 pm
I appreciate the heads up.
Apr 13th at 6:07 pm
Thank you for the 411. I know that your organization does everything it can to ensure that this won’t happen again. The world is full of individuals whose skills and knowledge in this area pose a constant challenge for you.
I feel safe with WordPress.com, and I couldn’t be happier with the service.
Apr 13th at 6:07 pm
omgtheyhackzurserverzweizgunnadieztakecover!
Eh at this point, I expect all of my data to be all over the internet. Not even government networks are safe anymore. I say if you put your data on any site, expect that it will probably at one time or another get stolen. I don’t blame WordPress at all, mind you. I am sure they did everything they could to avoid such an occurrence, but things happen. At least they let us know about it.
Apr 13th at 6:08 pm
:@ tough break! I guess I’ll have to change my password. 8)
Apr 13th at 6:08 pm
Thanks for informing us. It shows that WordPress.com is very interesting.
Apr 13th at 6:09 pm
Thanks for the heads up. Keep the communication open, honest and timely, and you’ll stand head and shoulders above the rest of the recent victims. Good to know that my password is hashed and salted [?!], but this is a useful prompt to change it anyway.
Apr 13th at 6:09 pm
Thank you for the info!!!
Apr 13th at 6:10 pm
Appreciate the timely information, and your transparency.
Apr 13th at 6:14 pm
I appreciate your honesty in revealing this breach.
Apr 13th at 6:14 pm
Thanks for letting us know. We trust WordPress.
Apr 13th at 6:17 pm
The timely and honest update, as well as the security suggestions are much appreciated.
Apr 13th at 6:19 pm
Thanks for the information and good luck in your investigation. What a strange world we’re in. Keep up the good work!
Apr 13th at 6:20 pm
Glad there is someone willing to do the hard work at WordPress, so I can do easy stuff like blogging.
Apr 13th at 6:24 pm
Thanks for being open, I appreciate it. Gives a new meaning to kicking the bucket
Apr 13th at 6:25 pm
Thanks for the heads up, Matt. It’s only natural that when you’re Number One, everyone will be gunning for you. Consider it a compliment.
Apr 13th at 6:28 pm
Thanks for the heads-up. Who knows what the hackers were looking for.
Apr 13th at 6:28 pm
Thanks a lot for the Honesty and fast Notification. Just great Behavior!
Apr 13th at 6:31 pm
Wow! Thanks for letting us all know. Don’t those hackers have better things to do.
Apr 13th at 6:36 pm
Thank you for always being on top of everything! For the record, I’ve gotten about six different spam emails in the last half hour. I wonder if it’s related, since usually my email system doesn’t let any spam get past the spam filter.
Apr 13th at 7:07 pm
It is highly unlikely it’s related, but we will keep an eye out for other users reporting anything similar.
Apr 13th at 6:38 pm
Thanks for telling us.
Apr 13th at 6:39 pm
Hey Matt, great job on updating us all. Don’t you dare feel guilty if problems occur. You guys are terrific, as is this site.
Apr 13th at 6:39 pm
That sucks. Thanks for the advice.
Apr 13th at 6:39 pm
By ” potentially anything on those servers could have been revealed” do you mean that our credit cards numbers and other non public infos like personal phone and such may be available on the black market ?
Apr 13th at 6:58 pm
We have no reason to believe any personal info like phone numbers were revealed, and definitely not anything like credit card numbers.
Apr 13th at 6:40 pm
Thanx for sharing. My sites seem perfectly fine.
Apr 13th at 6:42 pm
Thank you for being up front with us by communicating and protecting us and WordPress. I hope the forensic study leads you to the party who conducted this action.
Apr 13th at 6:44 pm
<3 you WP team of fabsters!
Apr 13th at 6:45 pm
Security is all of our responsibility, thank you for the heads up as well as the untarnished presentation.
Apr 13th at 6:46 pm
All my WordPress installs are on private domains not wordpress.com — is this breach only of concern to users on the wordpress.com servers?
Apr 13th at 7:05 pm
Correct.
Apr 13th at 6:51 pm
Thanks for being upfront and sharing the info right away. Your hard work is appreciated!
Apr 13th at 6:55 pm
Kudos for being so open about the incident. Many other websites would just deny that any data may have been revealed to make it sound like they are 100% secure when they really aren’t.
Apr 13th at 7:00 pm
Thanks a lot for letting us know about this. It must have been hard to say! My dad was in IT security, and he was on me all the time for passwords, etc, since security is hard to keep these days.
Apr 13th at 7:02 pm
Thanks for the alert. I wonder what the hackers stand to gain from whatever they ‘got’.
Cheers.
Apr 13th at 7:25 pm
It is too early to say — it appears that the activity was largely exploratory, not targeted at a specific area, but we are still investigating.
Apr 13th at 7:07 pm
Matt, thanks to you and everyone at WordPress for creating and maintaining such an excellent site that is always getting better.
Apr 13th at 7:08 pm
Thank you for letting us know! It is appreciated.
Apr 13th at 7:09 pm
Thank you so much for being open and honest about the problem at hand. Continue the excellent work!
Apr 13th at 7:12 pm
Thanks for letting us know, Matt. When we change our passwords, will we then have to reauthorize publicize services like twitter, etc.?
Apr 13th at 7:22 pm
Nope, those connections should be maintained.
Apr 13th at 7:14 pm
Good thing I have nothing worth stealing.
Thanks for saying what you did not have to say!
Apr 13th at 7:17 pm
Thanks for the update, the disclosure, and your honesty. I appreciate that!
Apr 13th at 7:19 pm
Thanks for the information!
Apr 13th at 7:20 pm
Thanks.
Apr 13th at 7:28 pm
Thank you. A lot of companies won’t tell you when they have a problem like this. It’s nice to know you are honest and clear.
Apr 13th at 7:29 pm
Thanks for the information and your dedication to clearing this up.
Apr 13th at 7:31 pm
Too many security incidents around the web. I am already using different passwords, but there is still a lot of uncertainty. Stupid stuff.
Thanks for the update!
Apr 13th at 7:33 pm
Thank you for the update.
Apr 13th at 7:38 pm
Thank you for conveying the tough news.
Apr 13th at 7:39 pm
I really appreciate you telling us about this. I actually feel more secure when companies I do business with, let me know that there’s a problem and that they’re working to hopefully prevent this in the future as well as protect my information. Why can’t we all admit a mistake or potentially damaging problem or issue??
What I don’t like is when people sweep things under the rug as if nothing happened… “Let’s not say anything and maybe no one will find out.” It’s very important for a company to tell me when there’s a problem, because now I’m equipped to do what I need to do, on my end!
Thanks again and Kudos!
Apr 13th at 7:42 pm
Thanks for the update, Matt. Tough as it is, you guys always shine in letting everyone know – and transparency means trust – so kudos to you.
One question though: is VaultPress hosted on the compromised servers, and if so are there any implications for sites using its plugin? My question relates to the access details and APIs used by VaultPress to access the blogs it backs up. If any of these were exposed by the hack, then presumably we’ll need to change them.
Apr 13th at 7:44 pm
Thanks for your honesty, and for your suggestions.
Apr 13th at 7:47 pm
Thanks for the announcement. Remember you have to beef up security, seeing as you host some very important VIP blogs and newspapers on your servers. Best of luck.
Apr 13th at 7:48 pm
You guys are awesome!! I really appreciate you spilling the beans so quickly. Gob Bless your efforts and hoping you can find the people who did this.
Apr 13th at 7:50 pm
Have you been able consider any motivation, or particulars to any sites, political or otherwise?
Thanks
Apr 13th at 7:58 pm
Nothing to say at this time.
Apr 13th at 7:51 pm
Appreciate the update!
Apr 13th at 7:52 pm
It’s quite strange to read “Security incident” near you’re big smile on your gravatar. Thank’s for the clear message.