The guys from Automattic (WordPress) posted today a brief statement about a security incident that they suffered.
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
They didn’t provide much details, but the common guideline applies: If you have an account at WordPress.com, WordPress.org, or any of their web properties, change them asap (specially if you reuse on some other location).
It seems that the attackers got root access in there, and based on what they mentioned in the blog post, it was through brute force or stolen passwords…
We will post more details when we hear it.