Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.
- Apr 13, 2011 @ 4:46 pm
Apr 14th at 4:05 am
Thanks! Your team is much more on the ball than the e-retailer that didn’t bother to tell me their site was compromised until I complained about being spammed by their “secure” site.
Apr 14th at 4:16 am
Wow, this is good to know. Thanks!!!
Apr 14th at 4:18 am
Thanks for letting us know and keeping us up to date.
Apr 14th at 4:20 am
Thanks for the suggestions, they’re really helpful!
Apr 14th at 4:33 am
Oh damn, I thought ‘security incident’ was a new theme and it sounded cool
You guys do a great job, thanks for all your hard work.
Apr 14th at 4:34 am
dang. that’s rough. we’re glad to know about this incident.
Apr 14th at 4:46 am
thanks for updates
Apr 14th at 5:08 am
Guys, Thank You so much for the heads up. Even the best fall like the recent Epsilon breach. According to some reports Epsilon knew about a vulnerability on their side but they didn’t warn their users before like you did. I’m sure you will do in all your power to protect our data. I have a question though; I don’t understand when you said “Use different passwords for different sites”.
Apr 14th at 5:14 am
Do you know whether any code was changed? Could the person/people who broke in have modified the code to send an email back to them any time someone changes their password?
Apr 14th at 5:30 am
Thank you for informing, advising and helping us understand. This is unfortunate, but it seems like the way of the world.
Thank you for letting us know.
Apr 14th at 5:38 am
Sadly, some folks haven’t figured out the way karma works, but will. Thanks for the update. I really appreciate your frankness and hope this is all resolved soon. Take good care, all of you!
Apr 14th at 5:46 am
Not good news, but great that you’re being upfront about it – appreciate the info.
Apr 14th at 6:20 am
Thanks! I will change my password right away!
Apr 14th at 6:28 am
Thank you for the info Matt, much appreciated!
Apr 14th at 7:10 am
Thank you for sharing.
Apr 14th at 7:42 am
Thank you for keeping us informed and for responding to people’s concerns quickly. Yay WordPress!
Apr 14th at 7:53 am
Thanks for sharing such an incident to the users (which most organizations would hide).
Apr 14th at 8:29 am
thank you so much.. all our blogs mean so much more to us and u just made us care for them all the more matt.. will be more cautious now =P
Apr 14th at 8:36 am
Thanks for the update – You’ve turned a negative into a positive by thinking to share some really good advice about using different passwords and how to manage them effectively. I use KeePass and will have a look at the others you mentioned for other clients. The other one to emphasise is the importance of backup and recovery procedures, that way if you loose everything you can at least get it back (or do a compare to help work out what may have been changed)
Apr 14th at 8:41 am
Fight the good fight! Thanks for keeping us informed.
Apr 14th at 8:53 am
Thanks for being clear on this.
Apr 14th at 9:30 am
it’s great that WordPress is so personal and always keeps us informed thank you!
Apr 14th at 9:34 am
Thanks for letting us know – luckily I was thinking about changing my set of passwords anyway.
Apr 14th at 9:46 am
I love WP, and try to talk my Blogger friends into making the big switch. Hey, junk happens. Thank for giving us the heads up on the situation! Appreciate it!
Apr 14th at 10:11 am
Your transparency is very much appreciated. Will heed your advice now.
Apr 14th at 10:45 am
We do appreciate, please update us for any new security incidents.
Apr 14th at 10:50 am
In my bad english I’d like to say ‘thank yoiu’ for your honesty and transparency, which I didn’t find in any other platform.
Apr 14th at 10:51 am
Information dissemination is important. Thanks a lot and regards.
Apr 14th at 11:36 am
Thanks for letting your customers know :). K
Apr 14th at 11:41 am
Thanks for all you do! I love having this great free service for sharing thoughts and keeping track of friends. Your team does a great job, and I appreciate it!!
Apr 14th at 12:10 pm
Thanks for the heads up. “)
Apr 14th at 12:12 pm
Better we know than we don’t. New passwords are easy, so… done!
Living on the web is like living in the city… lock the doors, look both ways before crossing and wash your hands!
Thanks for the update!
Apr 14th at 12:18 pm
Thanks for the update! Sending hope you repair things soon.
Apr 14th at 12:49 pm
Thanks for letting us to make stronger passwords.
Apr 14th at 12:58 pm
Many thanks, I really appreciate your work and this frank attitude! Good luck, Matt!
Apr 14th at 1:14 pm
Thank you, WordPress, for your generous hosting of our blogs! And a big “Thank you” to the wizards, WordPress’ Happiness Engineers!
Apr 14th at 1:53 pm
Thanks for letting us know. Y’all work so hard on making WP a secure and safe place for all of us to blog and share with the world, all of your work is very appreciated by us members/bloggers. I do hope y’all catch the person/group who did this.
Maybe it’s best that all of us change our passwords just in case? I know I’m going to be changing mine to be safe!!
Apr 14th at 2:04 pm
Thank you for the update yes it is a tough one to announce however I have more respect for the fact that you were honest and told all of us rather than trying to cover it up like some other sites do and would.
Apr 14th at 2:07 pm
Very much appreciate the update. Good luck–we’ve got confidence in you.
Apr 14th at 2:53 pm
Insecurity is my normal state
Apr 14th at 3:28 pm
Thanks for your honesty, good work.
Apr 14th at 3:43 pm
Keep up the good work, guys….
Apr 14th at 3:50 pm
Thank you for the quick and honest info!
It’s much appreciated.
Apr 14th at 4:35 pm
How indicative all these comments are on the kind of service WP gives, i.e., the best. As an appreciative user, I rather resent the implication that I am on some sort of drugs because I applaud WP’s (and Matt’s) honesty and attempts at great service (as one commenter suggested above). “If you live by the sword, you die by the sword.” We users of the internet know that these things happen and that determined hackers are stopped only with intense effort. Now, here’s my contribution:
I have so many internet accounts to various websites that, if I change my passwords, I am doomed.
However, I use something that was recommended by my bank. It’s called Trusteer and not only protects my password, but protects any website I ask it to, including, of course, my online banking sites (and, now, WordPress). Once you install it, it is very easy to use. You can set it for weekly reports as well. I was appalled at how many various invasion attempts it is stopping, but very glad it was stopping them.
Apr 14th at 5:08 pm
Thank you so much for being so transparent.
Apr 14th at 6:11 pm
Appreciate the transparency! We love companies with this kind of behaviour. Nobody is fully protected from incidents like that.
Thank you WP team.
Apr 14th at 6:15 pm
Thank you. This motivated me to get LastPass.
Apr 14th at 6:39 pm
Creepy…Thanks for the head up!
Apr 14th at 7:02 pm
Thank you! Good to know you have our backs!!
Apr 14th at 7:07 pm
Keep up the honesty and integrity, that’s what makes you guys #1 Thanks!
Apr 14th at 7:18 pm
What is with these fraudsters?! I found out someone or ‘something’ has been using my bank account as well today!! Ah well, at least we have honest people like you WordPress guys! Good luck in your investigations! Poppy
Apr 14th at 8:26 pm
Must say I was somewhat alarmed at seeing this title, but thanks goodness your team’s controlling it. This situation is becoming a contagious disease whew!!
Apr 14th at 8:34 pm
Thanks for keeping us up-to-date especially with this kind of issue. Highly appreciated!
Apr 14th at 8:57 pm
Thank you so much for the info. I have to admit I’m new here and I know now what to do for my security. again thank you. XD
Apr 14th at 9:12 pm
Your honesty and openness are awesome… Hopefully no one has stolen my identity… Geoff
Apr 14th at 10:06 pm
Honesty is always the best policy. Thanks!
Apr 15th at 9:10 am
Thanks for being honest and keeping us in the loop.
Apr 15th at 9:30 am
Thanks for all your hard work, guys!
Apr 15th at 2:04 pm
Thanks for the update. Appreciate it.
Apr 15th at 2:25 pm
This kind of policy – to be transparent – is exactly what will grow your success. Thank you so much.
Apr 15th at 5:47 pm
We love you all for all that you do to keep us safe. Have a great day squaring things away.
Apr 15th at 7:22 pm
Appreciate the honest update!
Apr 15th at 8:00 pm
Thanks for that…suppose incidents like that go with the territory, no matter how secure we’re trying to make this. Awesome advice on passwords!
Apr 15th at 9:17 pm
Thanks for the update. Good to hear that you are so open on these issues. Indeed, stuff happens. But it is not about the way that you fall, but about the way you get up your feet again. And you are doing just fine.
Apr 15th at 10:26 pm
Thanks so much! Sincerely appreciate it!
Apr 15th at 10:53 pm
Thanks for the notice and for working to figure things out!
Apr 16th at 1:49 am
Appreciate the heads up guys, thanks! –Meg
Apr 16th at 3:19 am
As usual, WordPress at its best. Thank you for the info.
Apr 16th at 5:44 am
Roger, over and out.
Apr 16th at 9:50 am
The WordPress Family: the Best Thing About the Internet.
Apr 16th at 4:05 pm
Thanks for the update.
Apr 16th at 6:06 pm
See, this is what I respect about WordPress and other people who work similarly. You admit it when things happen, and there’s no covering-up or blaming. Just telling us what’s happened nice and clearly, and giving advice on what to do. Thanks
Apr 16th at 6:34 pm
Aw sorry to hear and thanks for letting us know, I appreciate your open communication.
I hope they’re caught! Good luck.
Apr 16th at 8:36 pm
I read of the security breach
And the lessons in the life it would teach
I won’t worry my head
Or give into the dread,
I’m going down to the beach.
Apr 16th at 9:01 pm
As others have said, appreciate the honesty. Being upfront about security breaches endears your users more to WordPress and also motivates you guys to excel in keeping security higher so you don’t have to give us bad news.
God bless and keep up the good work!!!
Apr 16th at 10:11 pm
Thank you for being open, honest, very much appreciated.
Apr 16th at 11:24 pm
Your competitors could learn a thing or two about customer service from you. Stuff happens, but be honest about it and consider your customers as assets instead of numbers on a spreadsheet. You guys rock!
Apr 17th at 3:38 am
Thanks for the tips!
Apr 17th at 4:14 am
Thanks for the honesty. Standing behind you and your efforts. Keep the faith.
Apr 17th at 9:39 am
Thanks for all your hard work, guys!
Apr 17th at 11:10 am
I still use you as my media. Thanks for your honesty.
Apr 17th at 11:26 am
Thank you for being transparent. Yeah, so crap happens, but at least you notify us and considering how many people use WordPress and how I have no idea how you get all the work done, I seriously don’t care. So what? Then we’re going to change our passwords.
Still in love with WordPress.
Apr 17th at 1:29 pm
Everyone’s so nice on WordPress!
Apr 17th at 3:32 pm
Kudos for the heads-up.
Apr 17th at 4:59 pm
Thanks, I really appreciate it.
Apr 17th at 6:50 pm
Thanks for the update. I appreciate it.