"Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed," said Matt Mullenweg, the founding developer of WordPress, on the official WordPress blog.
Confidential information relating to the WordPress code base was likely stolen. "We presume our source code was exposed and copied," he said. "While much of our code is open source, there are sensitive bits of our and our partners' code. Beyond that, however, it appears information disclosed was limited."
The breached servers also contain hosted WordPress sites, but these are distinct from the WordPress software itself, which anyone can download and install on their own site. "It's worth pointing out that the security incident only potentially affects blogs posted on WordPress.com, not sites which have decided to self-host their own WordPress blog using the software from WordPress.org," said Graham Cluley, senior technology consultant at Sophos, in a blog post.
Automattic has been working to clean up the breach and block similar attacks in the future. According to Mullenweg, "we have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access."
Fortunately, there's no evidence that attackers stole WordPress.com users' passwords. Even if they did, however, Automattic stores all passwords in hashed and salted format, using phpass, which would make them quite difficult to crack.
Cluley lauded WordPress for disclosing the breach in a clear and forthright manner. "To its credit, Automattic ... didn't mince its words or try to apply any spin to the incident," he said.
Nevertheless, he and Mullenweg alike recommend that everyone with a blog on WordPress.com immediately change their password.
"We don't know that the WordPress.com security breach gave the hackers access to bloggers' passwords, but we do know that many Internet users have chosen to use the same password on multiple websites," said Cluley. "If your password was stolen from one website, it could then be used to unlock many other online accounts--and potentially cause a bigger problem for you. So always use unique passwords."