Hackers appear to have stolen source code in a root-level attack on WordPress that could compromise its VIP clients including NASA, the BBC and the New York Times.
(cmd.exe image by N3wjack, CC BY-SA 2.0)
Attackers compromised Automattic, the company that maintains the popular WordPress publishing platform, and broke into to several servers, gaining access to "potentially anything on those servers", according to the company.
WordPress founder Matt Mullenweg said in a statement that it was unlikely that access details were stolen.
"We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners' code. Beyond that, however, it appears information disclosed was limited," Mullenweg said.
"Our investigation into this matter is ongoing and will take time to complete."
Details were scant on the impact to the estimated 30 million publishers serviced by WordPress, but most customers responding to the WordPress statement were grateful of the disclosure.
Mullenweg advised customers to change passwords and ensure that they are different across websites.