"I've got a bad feeling about this..." →
Uh-oh:
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied.
Moderate kudos to Automattic for the disclosure. Big questions:
- When did the break-in happen? Those kudos have a limited shelf life, particularly if it’s revealed that the company’s been sitting on this for a while.
- Was Wordpress.com account information compromised? My guess is yes, which would explain the far-too-passive “You know, you should really use different passwords for each web service” PSA that follows the break-in disclosure. Given the number of Wordpress.com accounts and the amount of personal information shared on each, this could make the Gawker password incident seem like small potatoes.
- How screwed are self-hosted Wordpress installations? Wordpress releases a lot of security updates already. It’s hard to say without more details about the “sensitive bits” of code that were accessed, but it sounds like we may be expecting a flood of 0-day exploits on the horizon.
I expect we’ll be hearing a lot more about this in the next few days.
