HACKED: WordPress.com

Matt Mullenweg, a founding developer of WordPress, one of the largest blogging platforms nowadays, in a company blog post Wednesday:

Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

in Security Incident.

It can happen to anyone. Nothing to add as regards that aspect, at least until no additional information is available. But there's an aspect that deserves some attention: even though, apparently, no other information was disclosed besides that code, other data may have been compromised, as Zeljka Zorz, from HNS, pointed out:

As the servers also contain proprietary code from their users, Twitter and Facebook usernames and passwords and API keys, users that host their blogs on WordPress.com are advised to change all the passwords that could have been compromised - even though Mullenweg says that the WordPress passwords were stored hashed and salted using phpass - and to use different passwords for different sites.

Enough said. We await the unfolding of the novel.

Meanwhile, if you have an account on WordPress.com, change the password. Actually, change the WordPress.com passwords, and, if you have connections between WP and other services (e.g. Twitter or Facebook), change them too. (If, by any chance, your WordPress password is the same as other services' passwords, well, you know what you have to do, right? Change them).