WPEngine, one of the largest hosting companies on the WordPress platform, has discovered a leak of credentials for its customers. The company avoids very carefully mentioning the word hacking in the announcement it issued, but it nevertheless states clearly the data leak.
Let's see what the announcement says:
At WPEngine we are committed to providing strong security. We are writing today to let you know that we have a report that includes some of our customer credentials. We look, we are active, taking security measures across our customer base.
We have already started an investigation, but we need to take immediate action. In addition, there is not something that requires your immediate attention.
While we have no evidence that leaked information has been misused as a precautionary measure, we are canceling the five following passwords associated with your WP Engine account. This means that you will need to restore each of them. Instructions on how to reset these codes are located at the bottom of this email.
In the WPengine portal
In the WordPress database
In SFTP
In the original WP-Admin Account
In all Password Protected Installs
As a best practice, we also recommend that you use this password elsewhere with other applications to change it immediately.
We apologize for any inconvenience this may cause. We take this report as an opportunity to revise and strengthen our security and remain committed to strong internal security practices and procedures.
We take the safety of our customers very seriously. You can get more information about the event from the page http://wpengine.com/infosec