Arik Hesseldahl

Recent Posts by Arik Hesseldahl

WordPress.com Suffers Security Breach

Blogging host Automattic says it has suffered a security breach, and it’s potentially a bad one. A post on the WordPress.com blog by founder Matt Mullenweg describes it as a “low level (root) break-in.” This suggests that the systems in question were rooted by the attackers, meaning that the attackers attained the highest level of privileges (or Superuser status), which means anything on the affected systems could have been taken, copied or tampered with. (The company hosts many sites, including CNN’s Political Ticker, the NFL’s official blog and also, notably, AllThingsD.)

Details on the attack are sparse as yet. Mullenweg hasn’t disclosed which sites were affected. He said that Automattic’s team has been reviewing systems logs and plugging holes that may have been used to gain access. “We closed the avenues of access and have introduced several more layers of security to prevent a similar issue in the future,” he told me in an email.

“We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited,” he wrote. The investigation is ongoing.

In the meantime, Mullenweg reminded his customers–and it bears repeating even if you’re not a customer–that passwords should be complicated and shouldn’t be used across multiple sites. He also suggests using tools like 1Password, LastPass, and KeePass to make it easy to keep track of different passwords.


Latest Video

View all videos »

Search »

I think the NSA has a job to do and we need the NSA. But as (physicist) Robert Oppenheimer said, “When you see something that is technically sweet, you go ahead and do it and argue about what to do about it only after you’ve had your technical success. That is the way it was with the atomic bomb.”

— Phil Zimmerman, PGP inventor and Silent Circle co-founder, in an interview with Om Malik