Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited. (Official WordPress Blog)
To their credit Automattic alerted the community regarding the breach, a habit I wish was emulated within other industries (who often inform users days if not weeks later).
Automattic is still investigating the hack although there doesn’t seem to be any evidence of any passwords compromised, however the company is recommending that users change their passwords.
It’s also a good idea for self hosted blogs using WordPress.com services (like VaultPress) to change their WP.com passwords as well.
Note: For those of you who are extra paranoid, you can also change your username as well by visiting your Global Dashboard, then clicking on “Personal Settings” in the sidebar, then scrolling down to the “Account Details” section and clicking on the “Change” link next to your user name.
Although this breach indirectly affects self hosted WordPress fans, it might be wise to verify your hosting companies security defenses, as well as install a few plugins (like Login Lockdown) upon your site.