WordPress.com Suffers Security Breach

Blogging host Automattic says it has suffered a security breach, and it’s potentially a bad one. A post on the WordPress.com blog by founder Matt Mullenweg describes it as a “low level (root) break-in.” This suggests that the systems in question were rooted by the attackers, meaning that the attackers attained the highest level of privileges (or Superuser status), which means anything on the affected systems could have been taken, copied or tampered with. (The company hosts many sites, including CNN’s Political Ticker, the NFL’s official blog and also, notably, AllThingsD.)

Details on the attack are sparse as yet. Mullenweg hasn’t disclosed which sites were affected. He said that Automattic’s team has been reviewing systems logs and plugging holes that may have been used to gain access. “We closed the avenues of access and have introduced several more layers of security to prevent a similar issue in the future,” he told me in an email.

“We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited,” he wrote. The investigation is ongoing.

In the meantime, Mullenweg reminded his customers–and it bears repeating even if you’re not a customer–that passwords should be complicated and shouldn’t be used across multiple sites. He also suggests using tools like 1Password, LastPass, and KeePass to make it easy to keep track of different passwords.