Security Incident

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:

  • Use a strong password, meaning something random with numbers and punctuation.
  • Use different passwords for different sites.
  • If you have used the same password on different sites, switch it to something more secure.

(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)

Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 17,264,649 other followers

Matt

396 Comments

Comments are closed.

  1. Andrew Rowley

    Thanks for the update team. Crap happens, but you’re always keeping us up to date. Much appreciated. Hopefully no one was exposed too badly.

    Like

  2. Sara

    Thank you for being transparent!

    Like

  3. aafke

    Thanks for the info. All the best!

    Like

  4. Andrew

    Thanks for all your hard work, guys!

    Like

  5. Pingback: WordPress.com details a “low-level” security breach - TNW Media
  6. Zen

    Thank you sir. :)

    Like

  7. biodork

    Thanks for keeping us in the loop.

    Like

  8. anenglishmaninoostende

    Thank you for your prompt and honest post.

    Like

  9. mrpatrickblog

    Yikes… Glad you guys are up front about it though. Much appreciated.

    Like

  10. P Banks

    Thanks for keeping us informed, much appreciated!! Such a shame that some people feel it necessary to break into a site as great as WP.com. :-(

    Like

  11. Eric

    Thanks for being on this problem as quickly, WP IT team!

    Like

  12. twinklestar25

    My advice is to change your password once in a while. In school we do this to prevent security issues.

    Like

  13. missionsinmind

    Honesty and transparency are rare. Thank you for being upfront and so quick to let us know!

    Like

  14. sweetkari

    Thanks for the info. :)

    Like

  15. George

    Honesty is the best policy.

    Like

  16. Pranab

    This is what I find so great about WordPress.com. It takes a lot of guts to admit a fault which may have otherwise been overlooked by the community. Thanks for the honesty and transparency.

    Like

  17. valzone

    Thank you, your advise is heeded.

    Like

  18. glebkhol

    My condolences.
    Were you storing passwords in plain-text or hashed?!

    Like

  19. Alycia Nichols

    Thank you for letting us know! Sorry it happened. Stupid hackers!

    Like

  20. nelson RN

    Thanks for telling us!

    Like

  21. juststart

    So should we be concerned about our password being taken? This post alludes to that but doesn’t confirm.

    Like

    • Matt

      We don’t have evidence of passwords being taken, and even if they had they’d be difficult to crack. However it’s never a bad idea to update your password, especially if you used the same password in two places.

      Like

  22. Stephen

    Thanks WordPress.com. These things happen when you are the coolest kid on the block.

    Will roll out a new password sooner than the normal 30 days to be safe(r).

    Cheers, Stephen

    Like

  23. kimkircher

    Hopefully nothing too sensitive was breached. Thanks for keep us in the loop.

    Like

  24. Will Cookson

    It’s great that you have told us as soon as you knew. It makes it far easier to trust you.

    Like

  25. shuttlehall

    Security breaches are a fact of life in todays world. Honesty is the best policy for those that you serve. Eternal vigilance is the price of freedom.
    Those things that don’t kill us make us stronger… I guess that’s enough proverbs for the day. Thanks for informing us.

    Like

  26. E.C.

    Thanks for watching out for us. :)

    Like

  27. arierahayu

    Thanks for informing us, Matt. :D

    Like

  28. Pingback: One More Reason To Love Wordpress | Scepticemia
  29. nonprofitbrandingblog

    I trust you folks and your wonderful product. Knowing that you will stay on task and keep me informed, I find no reason to be seriously concerned.

    Like

  30. Nimelloth

    The fact that you informed us really makes you trustworthy, thank you very much.

    Like

  31. Michael

    Thanks for your hard work in keeping this site secure! Passwords should be complex, long, and changed every so often!

    Like

  32. Dzulqarnain

    Thanks for notifying us.

    Like

  33. The Teenage Taste

    Thanks for keeping us informed!

    Like

  34. Sharon

    Gyuh. Thanks for the heads up.

    Like

  35. genericthrowawayaccount

    So can you elaborate on what services were affected and whether any user data was likely to have been exposed? Are you reiterating those security fundamentals because users have some reason to be concerned, or just because?

    Like

    • Matt

      This potentially affects several of Automattic’s services. Based on the information we have we don’t think user information was accessed, but it’s certainly possible, and so wanted to remind people of security best practices.

      Like

  36. Pingback: WordPress.com Servers Broken Into
  37. Veronica/Mentale Godtepose

    Another thank you for the info. I haven’t really my changed password for a long while anyway, so I changed today. Can’t hurt. :)

    Like

  38. IslandEAT

    I really appreciate your letting us know, Matt and WP.

    Like

  39. floridapast

    What a thing for a brand new user (as of last evening) to hear. Not very promising, but at least the whistle blew. Good for you!

    Like

  40. West Annex News

    Wow, it’s been nothing but bad news from you guys lately. I’m disappointed that these attacks continually get the better of you.

    I’m not sure what drugs the rest of the commenters are on (or perhaps you just screen comments so only the perkiest, most upbeat get published, in which case, I worry about you guys even more) but I am distressed by the continual service interruptions and security breaches.

    Like

    • Matt

      I’m sorry, you should expect better from us and we’re trying our best to live up to those expectations.

      Like

  41. Mary

    Thanks for letting us know!

    Like

  42. YourNaturalHealthcarePlan

    Thank you for the warning, it’s greatly appreciated!

    Like

  43. Pingback: Wordpress.com Suffers Security Breach | Arik Hesseldahl | NewEnterprise | AllThingsD
  44. David (1MereMortal)

    I appreciate the heads up.

    Like

  45. Pingback: WordPress Servers Hit in Security Breach | NexGen SEM
  46. dogs12

    Thank you for the 411. I know that your organization does everything it can to ensure that this won’t happen again. The world is full of individuals whose skills and knowledge in this area pose a constant challenge for you.

    I feel safe with WordPress.com, and I couldn’t be happier with the service.

    Like

  47. Richard Allen

    omgtheyhackzurserverzweizgunnadieztakecover!

    Eh at this point, I expect all of my data to be all over the internet. Not even government networks are safe anymore. I say if you put your data on any site, expect that it will probably at one time or another get stolen. I don’t blame WordPress at all, mind you. I am sure they did everything they could to avoid such an occurrence, but things happen. At least they let us know about it.

    Like

  48. ALIVEalways

    :@ tough break! I guess I’ll have to change my password. 8)

    Like

  49. the rufus

    Thanks for informing us. It shows that WordPress.com is very interesting.

    Like

  50. Steve Revill

    Thanks for the heads up. Keep the communication open, honest and timely, and you’ll stand head and shoulders above the rest of the recent victims. Good to know that my password is hashed and salted [?!], but this is a useful prompt to change it anyway.

    Like

  51. Josthy

    Thank you for the info!!!

    Like

  52. Hunter

    Appreciate the timely information, and your transparency.

    Like

  53. Sandy Collum Sandmeyer

    I appreciate your honesty in revealing this breach.

    Like

  54. metaglossia

    Thanks for letting us know. We trust WordPress.

    Like

  55. pltprincess

    The timely and honest update, as well as the security suggestions are much appreciated.

    Like

  56. Rob Haster

    Thanks for the information and good luck in your investigation. What a strange world we’re in. Keep up the good work!

    Like

  57. squeezedwords

    Glad there is someone willing to do the hard work at WordPress, so I can do easy stuff like blogging.

    Like

  58. Silicon Base

    Thanks for being open, I appreciate it. Gives a new meaning to kicking the bucket :)

    Like

  59. PiedType

    Thanks for the heads up, Matt. It’s only natural that when you’re Number One, everyone will be gunning for you. Consider it a compliment. :)

    Like

  60. Ray Joseph Cormier

    Thanks for the heads-up. Who knows what the hackers were looking for.

    Like

  61. dimigrigos1

    Thanks a lot for the Honesty and fast Notification. Just great Behavior!

    Like

  62. thefengshuidiva

    Wow! Thanks for letting us all know. Don’t those hackers have better things to do.

    Like

  63. carolynquinn

    Thank you for always being on top of everything! For the record, I’ve gotten about six different spam emails in the last half hour. I wonder if it’s related, since usually my email system doesn’t let any spam get past the spam filter.

    Like

    • Matt

      It is highly unlikely it’s related, but we will keep an eye out for other users reporting anything similar.

      Like

  64. Pingback: 37prime.news » Automattic and WordPress.com: Security Incident.
  65. Pingback: WordPress.com Servers Hit in Security Breach
  66. doctorwhofan98

    Thanks for telling us. :-)

    Like

  67. MARANTHA JENELLE

    Hey Matt, great job on updating us all. Don’t you dare feel guilty if problems occur. You guys are terrific, as is this site.

    Like

  68. greenlif3

    That sucks. Thanks for the advice.

    Like

  69. Game designer

    By ” potentially anything on those servers could have been revealed” do you mean that our credit cards numbers and other non public infos like personal phone and such may be available on the black market ?

    Like

    • Matt

      We have no reason to believe any personal info like phone numbers were revealed, and definitely not anything like credit card numbers.

      Like

  70. bwohack

    Thanx for sharing. My sites seem perfectly fine.

    Like

  71. Musicofourheart

    Thank you for being up front with us by communicating and protecting us and WordPress. I hope the forensic study leads you to the party who conducted this action.

    Like

  72. Valentine Bonnaire

    <3 you WP team of fabsters!

    Like

  73. brutug

    Security is all of our responsibility, thank you for the heads up as well as the untarnished presentation.

    Like

  74. VenueView

    All my WordPress installs are on private domains not wordpress.com — is this breach only of concern to users on the wordpress.com servers?

    Like

  75. urban molecule

    Thanks for being upfront and sharing the info right away. Your hard work is appreciated!

    Like

  76. ronankeatingfans

    Kudos for being so open about the incident. Many other websites would just deny that any data may have been revealed to make it sound like they are 100% secure when they really aren’t.

    Like

  77. Aidyl

    Thanks a lot for letting us know about this. It must have been hard to say! My dad was in IT security, and he was on me all the time for passwords, etc, since security is hard to keep these days.

    Like

  78. Confounding

    Thanks for the alert. I wonder what the hackers stand to gain from whatever they ‘got’.
    Cheers.

    Like

    • Matt

      It is too early to say — it appears that the activity was largely exploratory, not targeted at a specific area, but we are still investigating.

      Like

  79. Ray Joseph Cormier

    Matt, thanks to you and everyone at WordPress for creating and maintaining such an excellent site that is always getting better.

    Like

  80. fosterdentalcare

    Thank you for letting us know! It is appreciated.

    Like

  81. heoni

    Thank you so much for being open and honest about the problem at hand. Continue the excellent work!

    Like

  82. Jennifer

    Thanks for letting us know, Matt. When we change our passwords, will we then have to reauthorize publicize services like twitter, etc.?

    Like

  83. onemom4rugrats

    Good thing I have nothing worth stealing. :) Thanks for saying what you did not have to say!

    Like

  84. johnmcgeeblog

    Thanks for the update, the disclosure, and your honesty. I appreciate that!

    Like

  85. flynn

    Thanks for the information!

    Like

  86. James Pat Guerréro

    Thanks.

    Like

  87. devinbaker

    Thank you. A lot of companies won’t tell you when they have a problem like this. It’s nice to know you are honest and clear.

    Like

  88. sjames318

    Thanks for the information and your dedication to clearing this up.

    Like

  89. Charlousie

    Too many security incidents around the web. I am already using different passwords, but there is still a lot of uncertainty. Stupid stuff. :(
    Thanks for the update!

    Like

  90. Don in Mass

    Thank you for the update.

    Like

  91. screen_scribbla

    Thank you for conveying the tough news.

    Like

  92. The Hewitts

    I really appreciate you telling us about this. I actually feel more secure when companies I do business with, let me know that there’s a problem and that they’re working to hopefully prevent this in the future as well as protect my information. Why can’t we all admit a mistake or potentially damaging problem or issue??

    What I don’t like is when people sweep things under the rug as if nothing happened… “Let’s not say anything and maybe no one will find out.” It’s very important for a company to tell me when there’s a problem, because now I’m equipped to do what I need to do, on my end!

    Thanks again and Kudos!

    Like

  93. Pingback: Nerds In Stereo » Blog Archive » WordPress Servers Hacked, Code “Exposed and Copied” - Ramblings from the Dev and the Admin
  94. edagan

    Thanks for the update, Matt. Tough as it is, you guys always shine in letting everyone know – and transparency means trust – so kudos to you.

    One question though: is VaultPress hosted on the compromised servers, and if so are there any implications for sites using its plugin? My question relates to the access details and APIs used by VaultPress to access the blogs it backs up. If any of these were exposed by the hack, then presumably we’ll need to change them.

    Like

  95. wk

    Thanks for your honesty, and for your suggestions.

    Like

  96. Obed Betancourt

    Thanks for the announcement. Remember you have to beef up security, seeing as you host some very important VIP blogs and newspapers on your servers. Best of luck.

    Like

  97. lachicaorganica

    You guys are awesome!! I really appreciate you spilling the beans so quickly. Gob Bless your efforts and hoping you can find the people who did this.

    Like

  98. copperbeechhouse

    Have you been able consider any motivation, or particulars to any sites, political or otherwise?
    Thanks

    Like

  99. Mike

    Appreciate the update!

    Like

  100. nouvellecythere

    It’s quite strange to read “Security incident” near you’re big smile on your gravatar. Thank’s for the clear message.

    Like

Follow

Get every new post delivered to your Inbox.

Join 17,264,649 other followers

%d bloggers like this: