As reported on the official Automattic blog, a number of their servers were hacked. While a number of news outlets like ZDNet are putting a rather scare-mongering tone to the news, the official post and comment replies were a lot more balanced.
It isn’t the first Open Source Software distributor that got hacked, debian the linux distribution suffered a similar hack in 2006 and proftpd got hacked last year but it is one of the highest profile victims.
Automattic at this moment are reviewing security logs and maybe forensics to see how far the hacks went and also plugging the holes that let the intruders in. A number of things of note, first is that the hackers might have been after the non-open source software that Automattic produces. WordPress that you can download and install is Open sourced but some parts of the WordPress.com blog hosting service is not. It is hard to see what competitive advantage obtaining this code would be since a large part of it would rely on WordPress as a platform. It would also suggest that one of the servers compromised was the Subversion server that hosts the source code.
A worry would be if some back-door code was inserted into the code base, which is what happened in proftpd’s case. While this could be easily checked for in the open source code, it would be harder to detect with the closed source parts. I have faith that Automattic’s team are doing a diligent job in reviewing such a occurance.
What would be interesting to find out is how long the systems were compromised for, because the longer the hackers had access to the system, the more mischief they could have performed (including covering their tracks).
So what does this mean if you are using WordPress as your blogging platform? If you are self-hosting i.e. not using WordPress.com’s services but using WordPress software that either you installed yourself or by your web host, then you will be largely unaffected. Just keep checking for news before you upgrade to the next version of WordPress. If you are using a WordPress account, then you might be best changing your password and also checking the official blog for updates as to what Automattic found out with regards to their investigations.
I wonder if one of the motivations of the hackers was to spread fear and uncertainty about WordPress and their services. I don’t share the worries of some other news outlets but I do advise you to stay informed of events as they unfold. We all should applaud Automattic’s openess in revealing the hack.