Social Media Security

SocSec – The Social Media Security Website

Home » Wordpress & Buddypress » WordPress.com hack exposes confidential code

The company that maintains the WordPress.com blogging platform said hackers gained root access to its servers and made off with sensitive code belonging to it and its partners.

Wednesday’s advisory from Automattic is the latest to detail a breach on a company entrusted to keep customer information private. The company, which serves about 18 million publishers, said employees are still determining exactly what data was stolen, but the initial assessment didn’t look good.

“Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed,” the company’s founder, Matt Mullenweg, wrote. “We presume our source code was exposed and copied. While much of our code is open source, there are sensitive bits of our and our partner’s code. Beyond that, however, it appears information disclosed was limited.”

In the comments section to his post, Mullenweg said there’s no evidence that passwords were exposed, “and even if they had they’d be difficult to crack.” He advised users to change their passwords anyway, especially if the same one is used in two or more places. WordPress passwords are hashed and salted using the Portable PHP password hashing framework, he added.

Mullenweg didn’t say how hackers were able to root multiple servers belonging to his company but said it has “taken comprehensive steps to prevent an incident like this from occurring again.”

Automattic joins companies including RSA Security, Epsilon, and an unnamed reseller of SSL certificate authority Comodo in admitting to breaches that put its customers at risk. So far, there’s little public evidence about who is responsible for the hacks.

With about 12 percent of websites running WordPress, the platform has long been a target of hacks. In 2009, a spam-friendly worm attacked older installations of the program, including that of tech blogger Robert Scoble, who lost two months of blog entries as a result. It was the second time that year that his blogging software had been exploited.

More recently, WordPress.com came under a massive denial-of-service attack that made it impossible for many of its users to publish their content.

Source code stored on Automattic’s servers includes API keys and Twitter and Facebook passwords that can used to gain access to sensitive information, TechCrunch said.



Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Additional comments powered byBackType

  • RSS
  • Delicious
  • Digg
  • Facebook
  • Twitter
  • Linkedin
  • Youtube

Twitter updates

No public Twitter messages.

Popular Posts

Which Social Network

In the list below, please select all the social networks ...

Facebook Asks You Wh

On Friday, Facebook offered its users a sneak peak ...

Facebook Justin Bieb

“I can’t believe a GIRL did this just because ...

Friendster Hacked ?

Multiple users have reported receiving spam emails containing their Friendster ...

How To Disappear Fro

You will notice that on your profile, that the number ...

Sponsors

  • Cheap reliable web hosting from WebHostingHub.com.
  • Domain name search and availability check by PCNames.com.
  • Website and logo design contests at DesignContest.net.
  • Reviews of the best cheap web hosting providers at WebHostingRating.com.