WordPress.com was hacked, it was announced yesterday. They are still conducting an investigation as to the extent of the hack and what data may have been compromised.
They recommend some preliminary measures to take like changing passwords, don’t re-use passwords on different sites and use a password manager.
All of which are good, necessary measures to protect yourself.
This is what I recommend you should do to protect yourself:
1. Change your username and/or email address in addition to changing your password
2. Generate new API keys for Webmaster Tools if you use them.
3. Check your settings to see if there is data you don’t recognize (like links to malicious ads)
4. Be aware of suspicious emails or SMS sent to you in the next few months, especially those asking you to reset passwords. Your phone numbers and e-mail addresses may have been exposed, .
5. If you use the hosted version of WordPress and you use the Jetpack feature you should reset your password as it requires you to create an account on WordPress.com
WordPress.com has calmed a lot of customers down by being transparent about the initial incident in their blog post. Hopefully they continue their communication after they’ve conducted their investigation.
Take note that having on a blog on WordPress.com is different than having your WordPress blog hosted on Go Daddy, Dream Host, Media Temple etc. etc. Read more about the differences between WordPress.com and WordPress.org.
I would check back on the WordPress.com blog and look for any updates.
The comment section also provides good insight as to the customer sentiment and additional details provided by WordPress.
It’s still up in the air as to whether this truly pans out as a legitimate vulnerability. Komodo says XYZ, and Verisign/Symantec says VWX.
It’s not all gloom and doom. People just need to be aware of the websites they are using and if that site is using the certificate type that is vulnerable. If it has that certificate, send a message to the webmasters of the site and to the maker of the certificate asking them to kindly fix it – FAST. And don’t use the site that is affected.
Not all sites are going to be affected mind you. Not all SSL certificates are created equally.
Remember, it’s “your” privacy that’s at risk.