An intruder broke into WordPress.com and gained access to multiple servers and the source code that powers blogs for its VIP customers, including CNN, CBS, Flickr and TED. This attack follows a distributed-denial-of-service attack that knocked WP offline last month.
The "low-level" break-in on several WordPress.com servers gave the attacker the highest level of access to all of the information stored on the systems, Matt Mullenweg, founder of Automattic, wrote on the WordPress.com corporate blog on April 13. The root-level attack may have the biggest impact on the VIP customers because the source code for VIP customers was exposed.
Most of the code that powers the WordPress blogging platform is open source. However, there are "sensitive bits of our and our partners' code," on WordPress.com that may have been exposed and copied, Mullenweg said.
"Tough note to communicate today," Mullenweg wrote.
Mullenweg did not say which of the VIP sites were affected, but said, "The information disclosed was limited."
TechCrunch is a VIP customer and the site reported that VIP customers "are all on -code red'" as the company investigates the incident. Automattic is currently in the process of changing all the passwords and API keys that were in the source code.
It seemed unlikely that personally identifiable user information was exposed, but Automattic has yet to complete its investigation. However, TechCrunch noted that as the site source code includes API keys and passwords for Twitter and Facebook, the attacker can potentially gain access to sensitive information and shut WordPress.com customers out of their social-networking sites.
The company is reviewing its data logs to determine the extent of the breach and what was stolen and patching security holes to "prevent an incident like this from occurring again."
"Our investigation into this matter is ongoing and will take time to complete," Mullenweg wrote.
When remediating these incidents, it's critical that system administrators perform a full security audit, Josh Shaul, CTO of Application Security, told eWEEK. If the administrator is just closing the specific hole that the attackers used, it's possible the attackers "just got locked inside with you," Shaul said. There is no way to know whether or not the attacker created other backdoor mechanisms or discovered other vulnerabilities during the time it was in the network. If the administrator does not perform a full security audit, even if the actual attack path had been closed off, the malfeasants have the inside knowledge to get back in, Shaul said.
Mullenweg suggested that WordPress customers make sure they are using strong passwords, and that they aren't reusing them across multiple sites. He also suggested using password managers like LastPass or KeePass to make it easier to track complicated passwords.
Attackers also broke into WordPress in 2009 by exploiting a security vulnerability to create new "hidden" administrator accounts. The site was also hit by an "extremely large" distributed-denial-of-service attack on March 3, making it near impossible to access blogs hosted on the platform for about two hours.
WordPress users hosting the software on their own servers are not affected by this breach.