[NewsPoster]

Fallout could still be on the way as a result of the collection of nearly five million Gmail username and password credentials leaked on a Russian Bitcoin forum, but for now at least one company is taking action. Automattic, the company responsible for the blogging platform WordPress, announced it has reset user passwords for more than 100,000 accounts based on the information contained in the list.

Automattic's Daryl L. Houston said that the company downloaded the list, then compared it to the WordPress.com database. What was discovered was that more than 100,000 accounts used the same password that was associated to the Gmail address on the list. The company stressed that the list wasn't created through an exploit of its services, but it wanted to take steps to protect its users.

Deciding to be pro-active, Automattic reset the passwords on all of the accounts with the same email and password combination. An email was also sent out to each of the users letting them know how they could regain access to their accounts, informing them of the process of acquiring a new password. Once users visit the WordPress site and hit the "login" button, they will be prompted to reset the account password.

For the more than 600,000 other WordPress.com users that hold a Gmail address that turned up on the list, the company isn't taking the same action. Just because the passwords don't match what Automattic has on file doesn't mean that those users will be without warning. Any affected account in this situation will have a notification on the dashboard when they log in. As a bonus, this notification can be used to educate users who were concerned that their email may be on the list, but didn't want to check through unofficial channels.

"Since these users were not immediately vulnerable, we did not reset their passwords or send emails, but will be enabling a notification in their dashboards so that they can assess the security of their passwords at their leisure and with all of this information in hand," said Houston.

It was suggested in the post that users enable two-factor authentication for their WordPress accounts. The importance of having a unique password for each account a person holds was also reiterated.

[prl99]

Explain to me how Wordpress knows what a user's password is? This would mean Wordpress either stores the password in clear text or has an algorithm that is able to parse an encrypted password. Neither one of these is good password management.

[Charles Martin]

While you raise a good point (and should probably contact the company about your concerns to get a proper answer), your ire seems a bit misdirected. I would suggest that the fact that Google obviously stores passwords in clear text (so that the thieves could obtain them) is the bigger problem here.

[zehspoon1]

Moreover prl99's post goes to the fact that no data is truly protected when stored on someone else's computer. Period! A tacit trust in admins/other entities to not peruse through someone's data is one of the largest oversights regarding "the cloud" and computing in general. When one stores their data on someone else's computer you have no true guarantees of that data. It isn't like having your money hacked from the bank. They can replace your money (even though you still pay in the end with fees), one's data, when breached can't be recovered.

[prl99]

I was only talking about logon/password data. It appears Wordpress lets you use your gmail account logon and password to log onto their site. If so, they have to have some kind of trust relationship with Google's account management system. Of course we're talking about Google so there might not be any. No matter how Wordpress uses the gmail account information, once this information is saved in a password database it is supposed to be encrypted. In fact, the whole process of creating an account should be encrypted and the password should never be entered in a mode where the Wordpress admin could even retrieve it and look at it. Back in the days when we used a Solaris passwd entry, an admin could recover the password but I don't think this is the case anymore with a typical LDAP database. (or is it?) I don't remember being able to extract a person's password for a long time, they have to recreate it through a secure process. As zehspoon1 states, we have to depend on the protection of a remote site, which is why I deleted my gmail account a year or two ago and would rather create a specific user account on every website I visit than using a general one (like Google, yahoo, facebook, or any of the others). I do use a disqus account when the website has it available but I rarely keep any actual data or much personal information on any of these sites. iCloud is the one exception but I trust Apple a whole lot more than any other site to secure my information.