Security Watch

Keeping Track of patches and hacks in the IT security world.

WordPress Resets 100,000 Passwords After Google Account Leak

The impact of Google's password leak of 5 million user accounts spreads to WordPress.

data breach

Password reuse is not a fictional issue; it's a clear and present danger. Just ask popular blogging service Last week, information on 5 million Google accounts was publicly posted on a Russian Bitcoin forum site. On Sept. 10, Google responded to the issue by publicly denying that its site had been breached and claiming that fewer than 2 percent of the accounts in the Russian breach list were actually valid.

As it turns out, although Google itself didn't see much impact, the exposure from the 5 million accounts is broader than just Google.

Late evening on Sept. 12, WordPress revealed that it was taking proactive measures to secure its users against the Google account disclosure. WordPress has an open-source content management system (CMS) as well an online service at, where users can create their own blogs. accounts can also be used by self-hosted open-source WordPress users to get a number of services from

"This list was not generated as a result of an exploit of, but since a number of emails on the list matched email addresses associated with accounts, we took steps to protect our users," WordPress staffer Daryl Houston wrote in a blog post. "We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the password."

So to recap, information on 5 million Google accounts was publicly posted, and the information did not come from a breach of either Google or Google has stated that approximately 2 percent of its users were impacted, which works out to be approximately 100,000 users—not coincidentally, the same number of accounts that WordPress has reset., like Google, is also being proactive with its users about the potential risk. While the only immediately vulnerable users from the Google accounts disclosure are those with a valid username and password, there is still a potential risk for the other accounts as well.

Houston noted that in addition to the 100,000 accounts that were reset, an additional 600,000 WordPress accounts are also potentially at risk, since the account emails are on the leaked Google account list.

"Since these users were not immediately vulnerable, we did not reset their passwords or send emails but we will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand," Houston wrote.

Clearly, users reuse accounts and passwords across sites. It's a risk that security experts often have warned of after many breaches, and it's not a theoretical risk. Simply put, password reuse increases the risk for users whenever a breach occurs. The unfortunate reality of the modern world is that breaches are a common occurrence, so the prudent course of action is to have unique passwords for different sites to minimize the risk.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.