The WordPress.com Blog

The WordPress.com Blog

Gmail Password Leak Update

We’ve taken extra steps to protect WordPress.com members.

This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users.

We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password. We also sent email notification of the password reset containing instructions for regaining access to the account. Users who received the email were instructed to follow these steps:

  1. Go to WordPress.com.
  2. Click the “Login” button on the homepage.
  3. Click on the link “Lost your password?”
  4. Enter your WordPress.com username.
  5. Click the “Get New Password” button.

In general, it’s very important that passwords be unique for each account. Using the same password on different web sites increases the risk of an account being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.

It’s also a good idea to enhance account security by enabling two-step authentication on services that support the feature. Two-step authentication can be set up on WordPress.com by following these steps:

  1. Browse to WordPress.com.
  2. Hover over the user avatar at the top right of the screen.
  3. Click “Settings.”
  4. Click “Security” from the submenu.
  5. Follow the instructions provided there.

We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 31,825,527 other followers

147 Comments

Comments are closed.

  1. chrisdaveacodili

    thank for your kind and consideration

    Liked by 4 people

  2. louisjbianco

    That was awesome of you!

    Liked by 10 people

  3. susielindau

    Thanks for staying on top of this and taking care of us.

    Liked by 7 people

  4. frankmorrell

    It seems like you hear of someone being hacked on almost a daily basis. My email was hacked over a year ago. Real pain in back side. I bought a password program and use a different 18 to 20 character password on every site. Have not been hacked every since but not as quick and easy to go to different sites. I try to remember and change some of them that go to sensitive sites like my bank on a some what regular basis.
    Frank

    Liked by 16 people

  5. gateviews

    From Gary Tate / gate3@juno.com I’m trying to reset my account with WordPress

    Sent from my Verizon Wireless 4G LTE DROID

    “WordPress.com News” wrote:

    > a:hover { color: red; } a { text-decoration: none; color: #0088cc; } a.primaryactionlink:link, a.primaryactionlink:visited { background-color: #2585B2; color: #fff; } a.primaryactionlink:hover, a.primaryactionlink:active { background-color: #11729E !important; color: #fff !important; } /* @media only screen and (max-device-width: 480px) { .post { min-width: 700px !important; } } */ WordPress.com Daryl L. L. Houston posted: “This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPr”

    Liked by 1 person

    • Daryl L. L. Houston

      If you’re having trouble, head here to try to reset. If that doesn’t work, try the “Need More Help?” link at the bottom, provide the requested info to help us validate access to the account, and we’ll try to get you squared away.

      Like

  6. Karen

    You guys are GREAT!!

    Liked by 4 people

  7. lifeinsmallbites

    Please help. I am not able to get into my site http://www.LifeInSmallBites.com and have repeatedly asked for new password update. No link is ever sent from WordPress to my e-mail jim@lifeinsmallbites.com Please send link so I can update my Password. Thank you – Jim

    Like

    • Daryl L. L. Houston

      Jim, be sure to check your spam folder to make sure the emails aren’t being sent there. If not, then head over here and click the “Need More Help?” link at the bottom. Provide the requested details that’ll help us validate your access to the account and we’ll do our best to help get you logged back in.

      Liked by 1 person

  8. maniessera

    Thanks, WordPress! You are wonderful!

    Liked by 1 person

  9. atreyu59

    I see a time coming where there will be daily hacks and security breaches that will change the fabric of how we do business. Everyone is going to have to be knowledgeable on IT and security issues in order to stay abreast of the threats lurking on every webpage/site. It is ashame we have to deal with these issues, but glad your on top of it nevertheless. I hope those who had their emails breached know, some may never know until it is too late.

    Liked by 1 person

  10. Across Leather

    Thank you WordPress!! You guys and Gals rock!!

    Liked by 1 person

  11. john atega

    Nice to hear that. Thank you.

    Liked by 1 person

  12. tylershepard1991

    I thank you for taking the security of your users to another level. I am glad I am apart of a service who takes the time to do what was outlined above.

    Liked by 2 people

  13. Marilyn Armstrong

    Thank you. I didn’t get an email, but I always worry that I should have, but it got sent to spam. I’ll check just to make sure. Nice to know you guys are vigilant.

    Like

    • Daryl L. L. Houston

      The email address you’ve used to comment was not on our list of accounts with matching passwords, so we didn’t send you an email. It’s still a good opportunity and reminder to double-check your password age and security. Even if you weren’t on this list, you never know when you’ll turn up on a list somewhere.

      Like

  14. frankmorrell

    Thank you.
    One thing I have found is, I backed up the password program with the URL user name and password in a word doc that is named a generic name. Some sites nail the password program when it logs in for me as being a robot. With most of the sites I go to being bookmarked, it is quick and easy to copy and paste from the word doc and it gives me a backup. I save the doc from time to time. I had a nasty virus awhile back and was thankful for a 3T external hard drive backup. Also grateful that I keep 2 copies of every authorization and key for each program I buy in a special folder. If you are not backed up, you might check with Amazon. The 3 Terabyte was less than $130 shipping and everything last year. Check with other places because Amazon does not always have the lowest price. Smaller external hard drives are cheaper.
    If the folder for authorizing software is in your doc files, it will be automatically backed up on a regular basis.
    I had to reinstall and reauthorize every program that I use. Pain was not as bad as it would of been with out organization and copies of what I needed. Bought my first computer in 1987 and been bit several times.
    Frank

    Liked by 3 people

  15. ptl2010

    Thank you for all you do which are unnoticed and while we are sleeping. Blessings on you and the team.

    Like

  16. John

    YAY WordPress.com!! Hackers – evil is as evil does.

    Liked by 1 person

  17. drrandylowesr

    Good proactive work.

    Sent from my iPhone

    >

    Like

  18. oaplascencia

    And that’s why we LOVE wordpress.com !!!

    Like

  19. Charlotte Ortega

    Thanks for looking out for all of us little guys blogging our hearts out! WordPress you rock!

    Like

  20. Charlotte Ortega

    18 to 20 character password??? Is this the new prevention for Alzheimers….

    Liked by 1 person

  21. myblogmyfeelings

    Thank you very much. Makes me glad I choose WordPress and not something else.

    Like

  22. gill256

    Reblogged this on BAREFOOT TRAVELER and commented:
    Gmail Password Leak Update

    Like

  23. Frustrated Writer

    I’m just new here but still thanks so much!

    Like

  24. parrillaturi

    Good heads up on your part. Thank you.

    Like

  25. moiracampbell

    Thanks for everything pro-active about WordPress !

    Like

  26. lwcapp

    Reblogged this on Lwcapp.

    Like

  27. SomniVision

    Great stuff guys, thank you for looking out for us!

    Like

  28. Mathukutty P. V.

    nice and useful post

    Like

  29. armantheangel

    I heard but before this security agencies were aware that Samanpurians were working through IT platform.

    Like

  30. fr33bitcoin (@fr33bitcoin)

    The 5 million email id that were leaked were more linked to bitcoin users and bitcoin accounts.

    Like

    • Daryl L. L. Houston

      Right, but since we know that people often use the same passwords across multiple accounts, we wanted to prevent in advance any account compromises in cases of such reuse. As noted in the post, there were over 100,000 accounts in the publicly available list for which the password could have allowed anyone reading the list to log into a WordPress.com account if it occurred to them to try (and this sort of thing certainly does occur to hackers and spammers). So sure, the list started as a bitcoin user account list, but it could have been used to hurt our users, and we prevented it.

      Liked by 1 person

  31. kofilarbi30

    Thank you

    Like

  32. Russellers.com

    A very helpful and professional approach; even though we don’t associate this account with G-Mail the general advice about passwords is relevant and timely. Well done WordPress.

    Like

  33. mrsmrs

    Well done you|se.

    Like

  34. Profarms

    Reblogged this on ©African News Digest®.

    Like

  35. Ahnaf Mahmud

    Reblogged this on Gamenology and commented:
    WordPress is totally awesome! If you are looking for a good website provider, choose WordPress!

    Like

  36. Ahnaf Mahmud

    Dude that was totally awesome! Mine wasn’t affected, but your great work has saved a lot of people! Great job!🙂

    Like

  37. adedigbajuliusademola

    Good update. Thanks for the information.

    Like

  38. La Cri'

    Reblogged this on secondastella72 and commented:
    Gli hackers colpiscono ancora, sono fortunatamente incappata in questa mail, la rebloggo, penso sia utile a tutti noi che utilizziamo wordpress. Io sicuramente vado a modificare la mia password!!

    Like

  39. ashokbhatia

    Appreciate this support!

    Like

  40. elmtg7

    Thank you for letting me know. I, however, opened a WordPress blog at one or other time but I did not carry on from there. I think I either cancelled the blog or I was trying to do so. So please let me know how I can get out of this predicament.

    Trust to hear from you in this regard,

    Regards,

    Ester Blomerus

    Like

  41. AE Via Boulder

    Reblogged this on Ass.Esp. Via Boulder.

    Like

  42. tellthetruth1

    Had this happen with something else a few months ago. Thanks for this news. I had no idea.🙂

    Like

  43. tellthetruth1

    Reblogged this on The love of God and commented:
    Warning to all visitors, straight from the WP blog…

    Like

  44. Ehrke HeideMarie R.

    Hello,

    I am so sorry! Your last eMails – I couldn’ t find any more! Please, can You Tell me, if my Account was hackend too?

    Thank You very much! I will change my Passwort, but I had to know this, please! It’s urgent because of my profession!

    Have a Good Day! Thanks!

    HeideMarie R. Ehrke

    Von meinem iPad gesendet

    >

    Like

    • Daryl L. L. Houston

      The list we checked was composed of Gmail accounts, and yours (at least the one you’re commenting with) is not a Gmail account, so it wasn’t on our list. It’s a good idea to change your password periodically and to follow best practices (linked in the post) for creating a strong password. Now would be as good a time as any to take care of that, whether or not you know your account to have been compromised.

      Like

  45. King Macachor

    Hi Daryl,
    I appreciate your vigilance on our security but who would ever hack intellectual property?. I think that’s the reason I couldn’t get into my account anymore. I’ve been trying to do it several times with no avail. Please, let us do it in the end that we would be able to access our account. I did it several times to make a new post but failed.

    Thank you again.
    http://www.emmacachor.wordpress.com

    Like

    • Daryl L. L. Houston

      Yikes, I’m sorry you’re having trouble getting back in. Head to our lost password page to try to get sorted. If that too is giving you trouble, click the “Need More Help?” link at the bottom, provide the requested info to verify your account, and we’ll try to help you regain access.

      As for who would ever try to hack intellectual property, you’d be surprised how often it happens and how much work we do behind the scenes to try to prevent it. There are other nasty reasons to try to hijack blogs too. Security is important even for things for which you wouldn’t really expect it to matter at all.🙂

      Liked by 1 person

  46. saxologyst

    Glad you are proactively handling this.

    Like

  47. srinivasanraja0

    Your prompt action is commendable; a testimony for the care and concern you hold for members.

    Like

  48. UrbanWalkerCT - Anton

    Amazing work and thank you for being so proactive it the protection of our passwords

    Like

  49. omahadar

    Why don’t we just shut down the Russian hackers?

    Like

  50. BinaryJourney

    How do you know what users passwords are? Are you storing them in an accessible form? This is not good if that is the case…

    Like

    • Daryl L. L. Houston

      Nope, we’re definitely not storing them in an accessible form, but since the list included passwords in plain text, we could encrypt them and compare them to the encrypted passwords in our system. It’s the same process that occurs when you submit a password yourself via a form.🙂

      Like

  51. ravinthranath

    Reblogged this on ravinthranath.

    Like

  52. thelightweightphotographer

    Thank you. This is what I call real service. Everyone on the web has a social responsibility but few fulfill it. You should be applauded for your actions. Well done.

    By the way, I just read this to my wife and she was really impressed with your response as well.

    Like

  53. Tine

    Reblogged this on Freedom Per Thought.

    Like

  54. hapi09

    thanks for the concern..

    Like

  55. yispan316

    thank you. I shall share this

    Like

  56. olivier rebiere

    Thank you for protecting us !

    Like

  57. ankita1201

    Reblogged this on Behind Silence and Solitude and commented:
    Well, good job WordPress.com

    Like

  58. samsterwasi87

    Reblogged this on samsterwasi.

    Like

  59. Annie of the Twinkling Stars

    Thank you for your speedy action! Some of us wouldn’t have known this in time to safeguard our accounts at WordPress.

    One of the best things anyone can do in a situation like this is immediately change the password of the gmail address associated with one’s WordPress account, whether or not one’s email is included in the list of 5 million hacked gmail accounts, among other things besides of course.

    Like

  60. jaggu118

    Nice update

    Like

  61. Mary Jane Kinkade

    Please keep us posted on this. Thanks.

    Like

  62. Bob Knowles

    Did the hacked list include Google Apps accounts?

    b

    Like

  63. almostvvriter

    Thanks guys for taking care of us!

    Like

  64. Honey Silvas

    Reblogged this on Honey Silvas and commented:
    It’s time to change passwords… again! Have a password changing party!

    Like

  65. KokkieH

    Reblogged this on if all else fails…use a hammer and commented:
    In case any of you missed this, now might be a good time to update your WordPress and Gmail passwords (and Facebook, and Twitter, and Instagram, and Amazon…I should make a list of all my online accounts, methinks.)

    Like

  66. Meredith

    Thanks for your diligence.

    Like

  67. swpeterson

    Even though my password wasn’t in your list, I just wanted to thank you for doing the right thing!

    Like

  68. Empowered Results

    Reblogged this on EMPOWERED RESULTS and commented:
    This is why I love using WordPress…🙂

    Like

  69. Hristiana Slavkova

    Reblogged this on impressions and commented:
    In general, it’s very important that passwords be unique for each ACCOUNT. Using the same password on different web sites increases the risk of an ACCOUNT being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.

    Like

  70. Connie Woodson

    Thank you for the support

    Like

  71. Hristiana Slavkova

    This is awesome and I re-blog…Thank you!

    Like

  72. ehpem

    Great job – this kind of thing keeps us blogging with WP.

    Like

  73. Steve

    I would strongly recommend using the app Password Safe. I use it all the time and if you are interested then there is a post about it in my blog.

    Like

  74. aerodesigner

    Now this is how all sites that login with Google should react!! Thanks, WordPress!!

    Like

  75. simmonsshaylee

    Reblogged this on TruthDirect and commented:
    Something important that should be read!

    Like

  76. frankmorrell

    Having bought my first computer in 1987, I have had some disasters over the years. What I found out is, 3,4, 5 or more years go by without a real problem with your files and programs, you get really careless about backing up.
    That is why I like an external hard drive backup. For less than $130 I bought an 3 Terabyte backup hard drive. When I purchase a new program I automatically put all the necessary information in a doc file and save it to a folder just for that purpose. When I change a password or create a new account I use a password program to generate a 18 to 20 character password. I then save the login information, the URL, user name and password in a document for backup and to use on some sites.
    Because all the information to reinstall, reauthorize a program and all my login information are in doc files, the external hard drive automatically keeps them backed up.
    Being human I am prone to get careless when enough time passes without any major problems.
    I found the best way to get around that is have a system that does it automatically for you.
    What causes the greatest problems for us is, month after month, maybe several years go by nothing serious happens, things go pretty good. We get complacent. Really careless and then BOOM we get bit.
    Amazing what you learn from the pain inflicted by the problem.
    Frank

    Like

  77. Jordan135 Gaming

    Reblogged this on ✯ Jordan135 Gaming ✯.

    Like

  78. stashid

    Reblogged this on Babyzeuch und Schweinskotelett.

    Like

  79. cocosangel

    Reblogged this on cocosangel and commented:
    For my friends who may have gmail accounts… please check this site.

    Like

  80. feddy92

    Reblogged this on feddy92.

    Like

  81. erikamsteele

    Reblogged this on Feigned Affections and commented:
    No offense to the WordPress team. I am sick of all these password leaks. This mostly to remind myself to change my password.

    Like

  82. 61chrissterry

    Thank you for caring about us.

    Like

  83. Laura P. Schulman, MD, MA

    Thanks so much! Question: is it possible to get 2 step authentication if one lives in a country that is not the U.S.? I live in Israel most of the time.

    Like

  84. Luis Ramirez

    thank you

    Like

  85. ipanase

    thanks sir for this warning and advice😀

    Like

  86. nirajsa

    Reblogged this on Niraj Sapkota.

    Like

  87. Nemesis x Grier

    Reblogged this on Lets talk Mafia Wars.

    Like

  88. ajim775

    Reblogged this on The Online Sales Wire and commented:
    This is good to know in case you missed.

    Like

  89. longwalkfilms

    Thanks for the info.

    Like

  90. Ross W

    Reblogged this on recovery_channel™.

    Like

  91. Kathy Waller

    Reblogged this on To write is to write is to write and commented:
    In case you missed it . . .

    Like

  92. simplycindysblog

    Wow.. Privacy has lost it’s meaning!

    Like

  93. belsbror

    Thank you for taking the quickest countermeasures to protect bloggers. I have the two-step authentication security feature so I strongly recommend it for others for better password protection.

    Like

  94. isaacovf

    I’ve never read yourgmail hackers, but, seriously, thanks for writing this article , I do have Authy

    Like

  95. sherryannemeyer

    Reblogged this on Ordinary Leader and commented:
    I cannot emphasize enough to all of you how critical it is to maintain strong passwords and unique password for every site. I appreciate WordPress two-step verification process with an Authenticator app. This is essential to protect you personally, your career, your intellectual assets as well as financial assets.

    Like

  96. Jenn

    This is so nice, Daryl. On a completely unrelated note, I miss reading your writing tips. Need to head to your blog!

    Like

  97. Jenn

    For those who are already using Password Managers, which one is the best among those in the list? How about you, Daryl? Which do you use? (Preferably free because I’m poor.)

    Like

    • Daryl L. L. Houston

      I’ve only ever used “1 Password” and so can’t speak to the quality of the others, sadly. It has served me well but is not free. Any of the ones on the list at the “strong passwords” link in the post would be worth looking into.

      Like

  98. harivsc

    If you want to check if your Google account, which is the gateway to your Gmail, Plus, Drive, Hangout, YouTube accounts as well, has been compromised, then simply click this link and provide your Gmail ID. https://isleaked.com

    Like

  99. bayneca

    Thank you once again

    Liked by 1 person

  100. Indra Zudin

    I want to check the list of email addresses to make sure my email address is included in the list or not. Where can I find the list?

    Liked by 1 person

%d bloggers like this: