As you may have already read in the news, WordPress.com (the WordPress hosting service provided by Automattic, not the self hosted open source platform) had a security incident last week. Someone gained root access to some of the servers used by Automattic and possibly anything on the servers could have been copied.
Now you may say “I’m not using WordPress.com since I have my own self-hosted blog”, but you may have an account at WordPress.com anyway. When I got my Akismet API key a long time ago you had to sign up for a WordPress.com account to get your key (now you can get it directly from Akismet.com), so even if you don’t have a blog at WordPress.com they may have vital information about you.I checked my account at WordPress.com (which I haven’t used in ages) and noticed that I had the same password for my gmail.com account and the WordPress.com account
. This is not just bad, this is horribly bad especially since I’m always writing in my blog posts about security that you should never do like that.
Most sites (and I guess WordPress.com is included in this category) got their users password encrypted some way (i.e. not stored in plain text), so the damage may not be as big as it could have been if they had the passwords in plain text. But now the attacker may have a bunch of passwords and gmail.com, Yahoo mail or any other email address. Since I wrote here that it’s easy to crack encrypted passwords using brute force and especially if you have a list of passwords without any limits on the number of tries to crack the passwords (like I wrote in my last post).
Once the password has been cracked they also know your email provider and can easily access your email ;-( . Since you have probably used the same email address to sign up for other sites like for example Facebook, Google, Yahoo, Twitter, MSN, Bing and so on it’s no problem at all for the hacker to access these sites too. And the scary thing here is that as long as you have used your hacked email account to sign up for these other services it doesn’t matter if you used other passwords at the other sites since you’ve used the same email address. You’ve used the email address the hacker got access to, and now he can easily let Facebook, Google, and so on email the passwords to your email address (which he got access to).
So the lesson today is to not use the same password on multiple sites (and especially not on your email account and another site like Google, WordPress, Facebook). Even if no passwords where disclosed in the WordPress attack this time you should be prepared for the worst.