Security Incident
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
(Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
April 13th, 2011 at 7:52 pm
Thank you so much Matt for letting us know.
So honest an attitude really makes my day.
April 13th, 2011 at 7:54 pm
Thank’s for the heads up. Nothing beats transparency.
April 13th, 2011 at 7:56 pm
Straightforward and honest. That’s why we love you. Good luck with your investigation and finding solutions.
April 13th, 2011 at 8:01 pm
Thanks for your efforts. Happens to even the biggest organizations and companies. Looks like you still have everyone’s trust.
April 13th, 2011 at 8:03 pm
Thank you for the update and great tip about the password tools – had never heard of them before but will definitely give them a go!
April 13th, 2011 at 8:03 pm
Thanks for the update.
April 13th, 2011 at 8:08 pm
From what you’ve said above, I presume that the exploit method is (was) specific to WP.com — but to clarify:
Does this exploit concern the code in WP.org at all?
April 13th, 2011 at 9:06 pm
It does concern WordPress.org-the-website but not WordPress-the-software that you likely host someplace else.
April 13th, 2011 at 8:09 pm
Thanks for the heads up! As tough enough as this ordeal must have been. I thank you guys for being so upfront with us! *Changes password while writing this*
April 13th, 2011 at 8:10 pm
Almost every site has its challenges but like most individuals here I am truly grateful that there is a company dedicated to keeping others informed. Thanks for letting us know and hope things get worked out soon!
April 13th, 2011 at 8:13 pm
That’s what I love about you guys. Always open and upfront. I am not surprised by this given the situation in the world. Thanks for being so viligiant. With you all the way!
April 13th, 2011 at 8:15 pm
Thank you for your openness. I’ve been with you for 3 months now, and I am very impressed with the manner in which you keep me in the loop.
April 13th, 2011 at 8:15 pm
Thank you for the heads-up.
April 13th, 2011 at 8:21 pm
Hey Matt,
I have a wordpress.org site that was working perfect yesterday, and today when I log in, all my information is completely gone, I cannot even edit or add any new posts to my blog, all my tabs, stats, widget bars are all missing but my public site looks and operates normal. Was my site effected by this breach or is it an unrelated problem? I really appreciate you taking the time to respond to the posts on here. Thanks.
April 13th, 2011 at 8:24 pm
That sounds unrelated — I would recommend contacting your host, and let us know if they’re unable to help you.
April 13th, 2011 at 8:27 pm
Thanks Matt, I opened a ticket with my host. Appreciate your quick reply.
April 13th, 2011 at 8:37 pm
Thanks for the update!
April 13th, 2011 at 8:50 pm
Hi Matt!
Thanks for the advice.
Count on us from Brazil.
April 13th, 2011 at 8:52 pm
tough times! thanks for the info. it is reassuring to know you’re paying attention to comments after the fact too.
hopefully, this can result in some new fresh eyes on my blog!
April 13th, 2011 at 8:56 pm
Thanks for transparency and keeping us informed, and for suggestions.
April 13th, 2011 at 8:58 pm
Thank you for keeping us informed. It also gave me the opportunity to install LastPass, which I had not heard of but which is an excellent product. Thank you
April 13th, 2011 at 9:00 pm
We would probably never even know it had happened. So, thank you for reassuring us this is the best place to be
April 13th, 2011 at 9:02 pm
Funny, this happened the day I got the most hits I’ve ever gotten — like an absurd amount on a post about Chinese espionage via telecom infiltration.
I also appreciate this breach being declared, but think members should receive an email as well.
April 13th, 2011 at 10:43 pm
Probably not related, but congrats on the traffic
April 13th, 2011 at 9:02 pm
Would be great if you included the link in the email on the whereabouts to change password..
April 13th, 2011 at 9:11 pm
Sorry about that, you can reset your password here: https://wordpress.com/wp-login.php?action=lostpassword
April 13th, 2011 at 9:05 pm
The drug we are on is called gratefulness.
Although I really do not like Internet, I really am glad I go there via WordPress. And although I really could not understand word of the warning message, I am glad I could come here and realize I do not need to. Thanks for this discussion, and for welcoming our replies.
I had planned to ask a question, today, when I got on, about a totally unrelated topic, but I think I will wait and let y’all catch up or whatever you have to do about this trouble. So will catch you later.
April 13th, 2011 at 9:05 pm
Good for you guys for putting the information out there. From a Marketing and Communications standpoint, it’s better to be honest up front than to try to explain after it gets out. I’m happy to see that it looks like our personal information didn’t really get out.
April 13th, 2011 at 9:08 pm
You are all doing a fine job. From what I can surmise, your organization could be one of the poster children for Eso-Merit Marketing. Excellent delivery of information with the intention of relationship. Well done.
April 13th, 2011 at 9:09 pm
Thanks for the heads up. Besides changing passwords any other steps you recommend taking?
April 13th, 2011 at 10:34 pm
That’s all right now.
April 13th, 2011 at 9:09 pm
I’m really scared for the safety of the blogs, but I appreciate that you let us know in advance. Let us know if there is anything else that we can do to protect our precious blogs!
April 13th, 2011 at 9:10 pm
Many thanks for the notice. We hope you can fix the problem.
April 13th, 2011 at 9:20 pm
Thank you for the update. Honesty, promptly, is always appreciated!
April 13th, 2011 at 9:21 pm
Thanks for letting us know Matt. Admire the transparency so much I’m signing up for a paid account.
April 16th, 2011 at 5:37 am
Wow — thank you!
April 13th, 2011 at 9:21 pm
Thanks for this note. WP R-O-C-K-S! Shame (in the strongest sense of the term) on those who hacked. They have their reward in full.
April 13th, 2011 at 9:25 pm
Just a thought. I’m thinking like a black hat. Have you tried to check if there was something inserted to your code. If I am going to risk being detected intruding your server, I’m going to make sure that I will have information about your next move. I know you guys have efficient IT experience but I just wanna throw my idea just in case.
Thank you for informing us.
April 14th, 2011 at 12:23 am
We have done a very thorough check and audit of all our systems.
April 13th, 2011 at 9:25 pm
Thanks for the info!
April 13th, 2011 at 9:25 pm
That’s what I like about WordPress, your honesty. Sure you guys don’t want to run for President?
April 13th, 2011 at 9:26 pm
Thanks so much.
April 13th, 2011 at 9:26 pm
Thanks for being up front about the issue. You have earned my trust.
I did notice that my post kept floating around – I don’t know if it had to do with the breach or my lousy skills.
Since I’m not writing about national security or have a massive reader data base, I’m not too concerned and trust you’ll do the right things to prevent this break in stuff in the future!
Keep up the good work,
April 13th, 2011 at 9:35 pm
Hello Matt. Have you considered that logs of your servers may have been tampered? With root access an intruder can erase all tracks.
April 14th, 2011 at 12:27 am
We have considered that.
April 13th, 2011 at 9:37 pm
WordPress.com Hacked – Time To Change Your Passwords – and the Positive Side of Transparency…
In a blog post titled simply “Security Incident”, Matt Mullenweg stated: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. and We presume our source code was expo…
April 13th, 2011 at 9:39 pm
Just reiterating all above posts, thanks for update.
April 13th, 2011 at 9:44 pm
“Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”
I wonder how many WordPress users will understand much of the above? What is ‘Automattic’for instance?”
It sounds perfectly horrifying for users. I hope WordPress will come up with information that’s understandable only by techies.
Ann Isik
April 14th, 2011 at 12:27 am
Sorry it was confusing, if you’d like to learn more about Automattic visit here: http://automattic.com/
April 13th, 2011 at 9:44 pm
Thanks for keeping us in the loop! WordPress is the best ! Better than any other blogging platform!
April 13th, 2011 at 9:48 pm
Is it possible to know or obtain a note in our blogs, from you people, with a specific warning that our pass or something else was stolen or an abusive access was carried out in our blogs….?
April 14th, 2011 at 12:29 am
Not sure what you mean, but drop us a note in support and we’ll try to help you.
April 13th, 2011 at 9:49 pm
Thanks! I appreciate your time here commenting, and the clarification.
April 13th, 2011 at 9:49 pm
I am not trying to get specific on detail, but just wondering something. Why do you think it was motivated for the source code on the servers and not the database information?
April 14th, 2011 at 12:43 am
That’s based on the information we’ve gathered and seen so far.
April 13th, 2011 at 9:51 pm
Crap happens. Thanks for being open and transparent about it. I wish other sites were!
April 13th, 2011 at 10:02 pm
Nearly a week ago someone pointed out a problem with our WP-hosted site (it returned 504 – http://bit.ly/g5fBOW).
Was the beginning of the incident?
April 13th, 2011 at 11:10 pm
That sounds unrelated, but please give us a shout if it happens again and we’ll take a look.
April 13th, 2011 at 10:05 pm
Thank you for this. Can you tell us a simple way to back-up our site data? I am on a mac.
April 13th, 2011 at 11:04 pm
You can download an XML file of your blog’s content by going to Tools -> Export in your WordPress.com dashboard. You can find step-by-step instructions at http://support.wordpress.com/export.
If you’re looking for a secure backup for your WordPress.org site, check out VaultPress.
April 13th, 2011 at 10:14 pm
Did the attackers get the /etc/passwd file or the password database hashes? If so, then everyone should be a lot more concerned than whether or not attackers can get into your wordpress account. They’ll work on breaking the hashes with wordlists, rainbow tables or brute force and then start trying out the username/passwords on other web sites that you might use.
April 14th, 2011 at 3:07 pm
For servers it doesn’t matter since all the passwords were changed anyway. As for the database it doesn’t look like it, but even if they did the hash and salt method we use for passwords would make them difficult to reverse.
April 13th, 2011 at 10:17 pm
How bad is this?
April 14th, 2011 at 3:05 pm
It’s very serious, that’s why we wanted to communicate it on our blog.
April 13th, 2011 at 10:28 pm
Thanks for letting us know. Another reason to love WordPress. <3
April 13th, 2011 at 10:33 pm
Thank you Matt for the trusted assurance. Our utmost confidence is with you and team Automattic. Y’all get two smiley faces!
April 13th, 2011 at 10:38 pm
Thanks for the Security Incident post. Perhaps of interest to WordPress, in case you’re not already aware, are the subscriber notices issued by McKinsey Quarterly and Air Miles, both reporting similar security incidents (with their relative service providers), both just a little earlier this month, and both advising that the breach appears benign …
April 13th, 2011 at 10:40 pm
Thank you very much for this news update, Matt!
April 13th, 2011 at 10:45 pm
It may not be the case but interestingly I am reading this just after Malaysiakini moved to WordPress.com when their servers is under attack in light of Sarawak State Elections. See http://malaysiakinicom.wordpress.com/2011/04/13/malaysiakini-moves-to-new-site-goes-free-3/
April 13th, 2011 at 10:45 pm
Sorry to hear about it but thanks for the heads-up. WordPress has a lot to teach other on-line presences: always transparent, helpful, flexible and evolving. I love WordPress.
April 13th, 2011 at 10:46 pm
Thank you for letting us know.
April 13th, 2011 at 10:47 pm
I would like to know why morons would hack into WordPress. What advantages do they hope to gain? Are they after WP technical details or trying to get personal details off web sites? If the latter, they must be hard up for entertainment. Did this happen in the last 12 hrs? Keep up the great work. William
April 13th, 2011 at 11:42 pm
It’s impossible to know the motivations, and we’re not commenting any more on the attack right now.
April 13th, 2011 at 10:48 pm
Could passwords from twitter accounts linked to wordpress accounts be stolen or do I just have to worry about my wordpress password?
April 14th, 2011 at 12:01 am
We do not store your Twitter account password, so no need to worry there.
April 13th, 2011 at 10:50 pm
“Our investigation into this matter is ongoing and will take time to complete.”
Well of course, take your time, China is a fairly large place after all, so it’ll probably take less time if you concentrate on searching for your hacker in the coastal cities first.
April 13th, 2011 at 10:55 pm
Thanks for letting us know!
April 13th, 2011 at 10:58 pm
Thanks for the info.
April 13th, 2011 at 11:04 pm
Thanks for the info.
April 13th, 2011 at 11:09 pm
It was the space aliens. I know they have been eyeballing Automattic for quite some time wondering how such advanced technology could possibly. You should feel honored they bent space-time to hack in and retrieve it.
April 13th, 2011 at 11:11 pm
Thanks for the update. I actually did get a bunch of spam comments this weekend and some of them made it through to pending section. I deleted them all. Is that a sign that my account was hacked? Nothing has changed on my site.
April 14th, 2011 at 12:23 am
Nope maybe was just a blip in Akismet.
April 13th, 2011 at 11:12 pm
Q = what can happen if someone has broke in? does it mean there could be an identity theft problem?
What will we see if someone has taken our info?
April 13th, 2011 at 11:37 pm
We don’t think anyone has taken your info, so you shouldn’t see anything.
April 13th, 2011 at 11:24 pm
I am brand new to blogging, only 2 days in haha. It makes me feel good that ya’ll are open about these types of things! The internet is a scary place because your info can go anywhere without you knowing!!
April 13th, 2011 at 11:35 pm
I’m impressed that WordPress is so honest about this. It would have been very easy to try and hide it. Kudos!!!!!! That’s why I am a WordPress user
I do hope the passwords weren’t cracked though..
April 13th, 2011 at 11:36 pm
Thank you for being honest!
April 13th, 2011 at 11:43 pm
Thank-you so much for sharing this information with us, especially so quickly after it occured! It makes me question how safe the internet is. Certain websites are safer than others obviously, but WordPress is a site I use frequently and would have never expected an issue like this to occur. I plan to take your advice on the password suggestions. I know it sounds like common sense, but so many people use the same password or have a real weak one, so thanks for sharing. Keep up the blogging.
April 13th, 2011 at 11:43 pm
is it required to change password?
April 14th, 2011 at 3:08 am
It’s not required, but it’s a good idea to update your password regularly as a security fundamental. You can reset your password at https://wordpress.com/wp-login.php?action=lostpassword.
April 13th, 2011 at 11:55 pm
Thanks buddy!!!
April 13th, 2011 at 11:57 pm
I thought it was not safe to change the password now when the problem still unresolved.
So I hope you’ll inform us when this problem has been solved
April 14th, 2011 at 3:02 am
It’s safe to change your password. You can reset your password here: https://wordpress.com/wp-login.php?action=lostpassword
April 14th, 2011 at 12:09 am
Thanks for being upfront and informing us. We have full faith in WordPress that all will be resolved.
April 14th, 2011 at 12:12 am
I can not say that I am comfortable or that I feel this is a fully “transparent ” statement. Do you believe that personal information was revealed? Are you recommending that we change passwords and email connections?
I am doing sensitive political work with correspondents in the Middle East. I feel that I need more info.
April 14th, 2011 at 3:04 pm
It is highly unlikely that any personal information from your blog or account was looked at.
April 14th, 2011 at 12:14 am
Appreciate the warning, Matt.
Even when the news isn’t so cheerful it’s still good to know that we’re dealing with honest, open people.
April 14th, 2011 at 12:19 am
Thanks for taking care of business and the users. Any idea what the intention was?
April 14th, 2011 at 2:55 am
Nothing to say at this time.
April 14th, 2011 at 12:31 am
I never cease to be impressed with how you guys handle these issues. It is exemplary!
If every organization handle themselves as WP does, the world would be in far better shape!!! TY
April 14th, 2011 at 12:31 am
Thank you for promptly posting this.
April 14th, 2011 at 12:38 am
Thank you Matt! Did this affect self hosted blog accounts as well?
April 14th, 2011 at 2:50 am
Self-hosted accounts are not affected.
April 14th, 2011 at 12:43 am
I’m new to WordPress and I appreciate this kind of “heads-up”. As much as I hate trying to remember several different (complicated) passwords, it’s getting more and more important to do so these days!
April 14th, 2011 at 12:46 am
Thank you. I appreciate the disclosure because it reinforces my sense that there are decent and solid people behind WordPress. I did a lot of research before I launched my blog and am very happy I chose this company.
April 14th, 2011 at 1:11 am
Thank you for the transparency!
April 14th, 2011 at 1:14 am
Thanks for informing the users, crap happens. I got spam to the email address I use here on 13 Apr 2011 18:26:53 -0000, offering “Rayon PCIe Serial Cards” from Acceed in german language. May be pure coincidence, spam on that address is very rare but does happen (like once every few weeks).
April 14th, 2011 at 3:30 am
Most likely pure coincidence – there’s a lot of spam out there.
Feel free to drop us a line if you have any questions.
April 14th, 2011 at 1:16 am
Appreciate the initiative to let us know even if (so far) users don’t experience anything strange (yet)! Will change passwords now… Not that they’d be interested in my blog anyway but if they will be trying to make a statement (and just gathering force now), then it’s time to secure our blogs.
April 14th, 2011 at 1:18 am
I have suddenly been receiving mail from blogs to which I never subscribed. Could this be related?
Thanks!
April 14th, 2011 at 3:18 am
It’s likely unrelated, but drop us a line with details and we’ll take a look.
April 14th, 2011 at 1:26 am
I really believe that the true measure of an organization occurs not when they are at their best, but rather when they are at their worst. That is when you see real leadership. That is when you see people making tough decisions and going that extra mile to make things right.
Thank you Matt, and the rest of the Automattic team. We really do appreciate all your hard work. We know you’ve got it covered.
April 14th, 2011 at 1:36 am
Thanks for the heads-up. Hope who ever it was got an earful! Any idea what they were actually after? I know there is a concentrated attack on emails in general going on at the moment, looks like a random-sort program kicking up short alphanumerics, repeating for their passwords, then shooting some very unpleasant spam to their contact lists. Any chance these guys were shopping for a “mailing list”?
(btw, “WordPress passwords are hashed and salted using phpass.” – sounds delicious!)
April 14th, 2011 at 3:40 am
The activity appears to have been largely exploratory, and not targeted at a specific area. We’re still investigating.
April 14th, 2011 at 1:54 am
Thanks Matt! “Go Get em” and thanks to WordPress for making me look good!
April 14th, 2011 at 1:55 am
Thanks for the (open) news. The most important thing is to react/recover quickly. Hopefully it doesn’t happen again.
April 14th, 2011 at 2:11 am
Thank you for the honesty! I have been meaning to change passwords so I just did that for a bunch of things.
April 14th, 2011 at 2:50 am
Appreciate the announcement.