Break-in at WordPress.com
WordPress.com 's Matt Mullenweg has confirmed that attackers broke into its systems, gained root level privileges and that "potentially anything on those servers could have been revealed". While WordPress.com's software is open source, the source code on WordPress.com's servers contained configuration information and code written for partners which would include sensitive information which may have been accessed by the intruders.
Wordpress.com's operator, Automattic, says that after reviewing logs it appears that only limited information was disclosed. At present there is no indication that the intruders stole passwords from Wordpress users and, even if they had, they are stored in hashed and salted form and therefore hard to crack.
That said, it is not a bad idea for users to change their password anyway and even more so if the same password is used on multiple sites. Mullenweg suggests using randomly generated passwords and a password manager to keep track of different passwords used for different sites.
Automattic has now taken steps to close the vulnerability that the attackers used and is continuing its analysis of the break-in. The company says any questions or concerns should be addressed to its support team.