Apr 14, 2011 10:41 GMT  ·  By

Hackers have broken into servers owned by Automattic, the company operating the WordPress.com blogging service, and might have stolen proprietary code.

In a post on the official WordPress.com blog, Automattic's founder and president, Matt Mullenweg, said that attackers managed to obtain low-level (root) access on several of the company's servers.

The method used in the compromise has not been disclosed so it could be anything from credentials or SSH key stealing to exploiting a vulnerability in an Internet-facing service.

Mr. Mullenweg does, however, say the avenues used to gain access were "re-secured" and that other steps were taken to prevent such incidents from occurring in the future.

The investigation is still ongoing, but based on a review of the logs the company presumes that open source and proprietary code stored on the servers was compromised.

"While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited," Mullenweg, who is also a leading WordPress developer, writes.

The company doesn't make any special recommendations as a result of the incident except for advising people to use strong passwords that combine letters with punctuation and creating different ones for separate websites.

When asked if user passwords were compromised, Mr. Mullenweg said that even if they would have been stolen they would prove extremely hard to crack because they were hashed and salted.

"This potentially affects several of Automattic’s services. Based on the information we have we don’t think user information was accessed, but it’s certainly possible, and so wanted to remind people of security best practices," he added.

The WordPress expert goes on to suggest several password management tools like 1Password, LastPass and KeePass to help users keep track of multiple complex access codes without having to remember them.