After noticing some suspicious commits to popular WordPress plugins today in the main WordPress.org repository, passwords are being reset for all users of WordPress.org, bbPress.org and BuddyPress.org, Matt Mullenweg said on the WordPress blog.
The reset comes after suspicious commits to AddThis, wpTouch and W3 Total Cache that contained backdoors were spotted. The WordPress team promptly rolled back the changes and pushed updates to users who might have installed the plugins with the trojans, and shut down access to the repository.
The nature of the problem indicates that this was a small scale attack on specific plugin author’s WordPress.org accounts, but could have become a large scale problem that gave hackers access to millions of WordPress blogs, had the WordPress team not responded as quickly as they did.
The WordPress team is still looking into the situation to find out what happened, but to use the forums, trac, or commit plugins and themes you’ll need to reset your password before logging in.
A fantastic job by the WordPress team in dealing with a security breach before it became a serious problem. Sony could learn a thing!