Automattic, the folks behind WordPress, suffered another blow to its security this week after a hacker gained access to servers containing sensitive company and user data. In a blog post yesterday, President Matt Mullenweg described the breach as a "low-level (root) break-in)" that would have given the attacker access to "potentially anything" on several of Automattic's servers.
After reviewing internal logs, the company believes its source code was exposed and copied. "While much of our code is open source, there are sensitive bits of our and our partners' code," Mullenweg explained. Based on its records, the company doesn't believe much if any other sensitive information was compromised.
Even if the hackers copied user passwords, they're all hashed and salted using phpass. In other words, you should be safe unless you use something incredibly lame like "qwerty". If you're concerned about the safety of your account, Mullenweg offers a few tips:
- Use a strong password, meaning something random with numbers and punctuation.
- Use different passwords for different sites.
- If you have used the same password on different sites, switch it to something more secure.
Gawker Media's servers were breached last December and a hacker group published some 1.3 million user emails and passwords via BitTorrent. Some 200,000 weak passwords were decrypted very quickly revealing that thousands of users were safeguarding their accounts with passwords such as "123456," "password," and "abc123".
In early March, WordPress was nailed by several large distributed denial of service (DDoS) attacks that originated from China. The first attack amounted to multiple Gigabits and tens of millions of packets per second bombarding their servers, which crippled all three of the company's data centers and resulted in connectivity issues for the service's 18 million hosted blogs.