WordPress.com (the blog hosting platform) was compromised by hackers using an undisclosed vulnerability. My guess is the attackers found an unpatched server somewhere, and used that to get into the environment. Information from Automattic is limited, but they’re assuming that source code and other information was probably stolen. Nobody has come forth to claim the hack, or post WordPress’ source code and account information online, Gawker-style.
If you have a blog on WordPress.com, I recommend changing your password there (and on any other site where you may have used the same password). If you host your own WordPress blog, there isn’t cause for concern just yet as there are many ways that the hackers could have gotten root access, so the vulnerability used may not be within the WordPress software itself.
I’ll update this post should any more information come to light.
With the recent high-profile Gawker compromise, their entire source code and user database are available as a torrent. Some people have taken to cracking the (weak) password hashes, whilst others are looking for bugs in the source.
GBOTD#1 is a XSS found in the first 3 lines of the first file:
According to Mike, he’s already found over 30 bugs after just a few hours of hunting.
Gawker Media, who run many other sites including Lifehacker, Gizmodo and io9, have had their servers and databases hacked by a group called Gnosis. This results in over 1.3 million user accounts being compromised, across their various websites. Part of the issue is the fact that Gawker were using the outdated DES algorithm to secure passwords in the database, making it trivial for the hackers to crack the hashes. To make matters worse, many Gawker admins have also been using extremely weak passwords for their accounts. A full account from the hackers’ perspective can be found here, and there is clearly some beef between them and Nick Denton (owner of Gawker) who appears to have been baiting 4chan (baad idea).
The 1.3 million user accounts, together with Gawker Media’s source code, have been made available in a torrent posted on The Pirate Bay. You can quickly check whether your account is one of those by checking out this spreadsheet (Google). It’s safe to say that if you have any accounts on websites run by Gawker Media, you’re going to want to change your password. If you happen to reuse passwords a lot, then you’ll want to change your password everywhere… isn’t password reuse a joy?