Gmail Password Leak Update

We’ve taken extra steps to protect WordPress.com members.

This week, a group of hackers released a list of about 5 million Gmail addresses and passwords. This list was not generated as a result of an exploit of WordPress.com, but since a number of emails on the list matched email addresses associated with WordPress.com accounts, we took steps to protect our users.

We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password. We also sent email notification of the password reset containing instructions for regaining access to the account. Users who received the email were instructed to follow these steps:

  1. Go to WordPress.com.
  2. Click the “Login” button on the homepage.
  3. Click on the link “Lost your password?”
  4. Enter your WordPress.com username.
  5. Click the “Get New Password” button.

In general, it’s very important that passwords be unique for each account. Using the same password on different web sites increases the risk of an account being hacked. Now would be a good time for all users to go through all online services and set distinct, strong passwords for each.

It’s also a good idea to enhance account security by enabling two-step authentication on services that support the feature. Two-step authentication can be set up on WordPress.com by following these steps:

  1. Browse to WordPress.com.
  2. Hover over the user avatar at the top right of the screen.
  3. Click “Settings.”
  4. Click “Security” from the submenu.
  5. Follow the instructions provided there.

We checked the accounts of 600,000 other WordPress.com users whose email addresses were included in the list. Since these users were not immediately vulnerable, we did not reset their passwords or send emails but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand.


Missing out on the latest WordPress.com developments? Enter your email below to receive future announcements direct to your inbox. An email confirmation will be sent before you will start receiving notifications - please check your spam folder if you don't receive this.

Join 57,236,040 other followers

147 Comments

Comments are closed.

  1. savyseph

    Thanks but this may not solve the problem. The hackers may get to your gmail (they had the password anyway) to frustrate this efforts. I hope those affect by this hacking can recover their accounts.

    Like

  2. gloryrevealed77

    That is what I called Customer Service and For the Love of the Customer! Thank you for being so considerate. You Rock!

    Liked by 1 person

  3. ohiogirl93066

    Reblogged this on ohiogirl93066 and commented:
    This upsets me because it feels to me that our privacy is being violated yet again and people don’t give a damn! When they hack they aren’t thinking about the chaos that causes!

    Liked by 1 person

  4. curvygirl11

    It is good to get reminders about passwords etc. However hacking passwords is an ongoing issue across the board.

    Liked by 1 person

  5. GolNaran

    There is not any “security” submenu in my dashboard.
    What should I do?

    Liked by 1 person

    • Daryl L. L. Houston

      The security item isn’t in the old-style dashboard; it’s in the settings available from the wordpress.com home page. Try going there, then hovering over the avatar at top right, then look for Settings.

      Liked by 1 person

  6. GolNaran

    Thank you so much!

    Like

  7. ldlagarino

    It may be a coincidence, but yesterday, Sunday, September 14, I logged into WordPress and discovered one of my posts had vanished. The post itself is not a big deal. It was a first draft of a scene from a screenplay in progress that has since been rewritten. I left it in order to have confirmation of the posting date. For something to vanish, it must have been moved somewhere or been deleted, and not by me.

    Liked by 1 person

  8. tierneycreates

    Very awesome that WordPress was so diligent!

    Like

  9. eytan

    How could you compare passwords ? Are they not hashed ?

    Like

    • Daryl L. L. Houston

      The passwords in the list were in plain text. We compared them to our hashed values in the same way that we do when you try to log in — by hashing the plain text password before comparing. If the hashed password from the list matches the hashed password we’ve stored, then the passwords overlapped.

      Like

  10. deensaxton

    I have full identity restoration so I’m covered

    Like

  11. DMCrim

    Reblogged this on dmcrim and commented:
    Another example of hackers! Glad to know word press is taking appropriate precautions! Great website 🙂

    Like

  12. kaoseast

    very professional and its not Google thanks

    Like

  13. quincydaniels

    Good job. WordPress gets a bum rap sometimes for security that I don’t think it deserves. Keep updating everyone is my advice. Customers like updates.

    Like

  14. MTJames

    Though mine wasn’t one of the passwords hacked, I’m thankful that you responded so quickly. I’m also thankful for LastPass, password vault and generator.

    Like

  15. heismy3in1

    Thank you so much for taking care of us! I will follow up on what you recommend below.

    Like

  16. Linda Kennett

    Daryl- I just received an email about downloading a new WordPress 4 called “Benny” from Matt Mullenweg that looks like a scram. Is there a new WordPress to download? Thanks- Linda

    Linda Kennett

    “The people who know their God will display strength and take action.” Daniel 11:32b NASB

    Date: Sat, 13 Sep 2014 01:47:46 +0000 To: lenarae@outlook.com

    Like

    • Daryl L. L. Houston

      Linda, such an email may have gone out (I’m not sure). There is a new WordPress 4 version named “Benny.” If you’re using wordpress.com, it won’t likely be relevant to you, as it’s the version that you install on your own server. You should always be wary of what links you click in an email. If you’d like to download WordPress 4.0, just head over to wordpress.org and get the download from there, or if you happen to have a WordPress install already, you should be able to update right from your dashboard. Again, though, if you’re on wordpress.com, you’re already taken care of.

      Like

  17. theazulineflurry

    Thank you, WordPress! Incredibly helpful!

    Like

  18. SGC Admin

    thanks so much for your diligence… 🙂 it’s appreciated… have a fabulous day…

    Liked by 1 person

  19. ldlagarino

    Daryl, Thanks for the information. It’s probably nothing to get worked up over.

    Like

  20. qb.support@aol.com

    Thanks for the info..

    Like

  21. edlikesfezzes

    Thanks for taking care of this.

    Liked by 1 person

Create your new blog or website for free

Get Started

%d bloggers like this: