Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.
We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)
They also offer standard good advice:
As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.
Second, if you use AddThis, WPtouch, or W3 Total Cache and there’s a possibility you could have updated in the past day, make sure to visit your updates page and upgrade each to the latest version.
Meanwhile Dropbox, the digital locker service, has had to face the fact that it broke its own authentication system for four hours on Tuesday – which meant that anyone could log in to anyone else’s account. Dropbox says that it thinks only 1% of people logged into accounts in that time, though of course it doesn’t know if they were the ones who were meant to log in to them.
Many people might say “no harm done – all that’s happened is that someone might stick some files in your Dropbox.” Yes, or read them. Or, as someone suggested, stick a malware-infected file in. It’s a bad lapse for Dropbox. There’s enough hacking going on as it is without this.