Earlier last week, nearly 5 million gmail username and passwords combinations were found publicly leaked on a Russian BitCoin forum, Google had later stated there was no security breach identified on their end.
Automattic, the service which operates the hosted blogging service, WordPress.com, has revealed it has taken proactive measures to secure nearly 100,000 accounts because of the Gmail security breach.
The company quickly addressed the security issue, but pointed out that the Gmail breach was in no way connected to WordPress itself. Automattic outlined that they downloaded the leaked list, compared it with their database, and only forced users to reset their password if it coincided with their WordPress.com password.
“We downloaded the list, compared it to our user database, and proactively reset over 100,000 accounts for which the password given in the list matched the WordPress.com password,” explained Automattic’s, Daryl Houston
Users affected by the breach have been sent email notifications with password reset instructions, Houston explained. Affected users were asked to click the login button on the homepage and request a new password.
This is another timely reminder that it is never a good idea to use the same password more than once across multiple websites. If one account is breached, it makes it easier for attackers to breach a number of accounts across the grid.
For added protection, it is always recommended to enable two-factor authentication where possible, which WordPress.com also provides. Steps to enable two-factor authentication can be found in their blog post.
Automattic also revealed it had found 600,000 email addresses on the leaked Gmail list to match emails of their users, but did not force them to reset their credentials as they did not use the same password. Instead, Automattic has placed a notification in their account dashboard for users to asses their own security.