Help with e-mail received from WordPress

  • operationgolden · Member ·

    Hi,

    I set up a WordPress way back in 2010 that I used twice in that year and forgot it existed until today, when I received this e-mail below from passwordhelp@wordpress.com. I’ve read on other threads that if WordPress find you using the same e-mail combination on another site, they will change it but just concerned with the wording on this:

    Howdy,

    We recently discovered your login credentials in a list of compromised emails and passwords published by a group of security researchers. This list was not generated as the result of any exploit on WordPress.com, but rather someone gaining access to the email & password combination you also used on another service.

    Does this mean my e-mail and password has been compromised elsewhere other than WordPress or is it the security measure that has been outlined above? Looking for some clarity.]

    Thank you.

  • staartmees · Member ·

    The message clearly states ” This list was not generated as the result of any exploit on WordPress.com” or “your e-mail and password has been compromised elsewhere other than WordPress”. In order to prevent someone hijacks your account, you must asap change your password.

  • gemmacevans · Staff ·

    Hi operationgolden,

    Does this mean my e-mail and password has been compromised elsewhere other than WordPress or is it the security measure that has been outlined above?

    We regularly import known lists of potentially compromised user accounts and passwords from other sources, which helps to keep our users secure. haveibeenpwned.com is a useful resource for checking if/where your email address has been leaked, if you would like more information.

    We are asking you to reset your password as a precaution — doing so will help maintain the security of your account.

    If you have any questions or concerns, you’re welcome to reply the email directly and we will follow up with you there.

    Thanks!

  • dimple2 · Member ·

    Hallo,

    Today I received the very same email, claiming I have used the password somewhere else.

    Which is NOT true. I had used an unique 20 character long password with lower/upper case and numbers. 2-step authorization is enabled too. So whoever got this password didn’t get it from another account etc as I haven’t used this password anywhere else than for WordPress. Needless to say, I changed it.

    Happy holidays :)

  • gemmacevans · Staff ·

    Hi dimple2,

    I haven’t used this password anywhere else than for WordPress. Needless to say, I changed it.

    You were prompted to update your password in order help keep your account secure. Thanks for making that change and just reply to our email if you have any questions.

    Happy holidays to you too :)

  • thatmantisguy · Member ·

    Just adding to this. I wondered if it was to do with the lists on HIBP, but my e-mail (actually in two forms since @gmail.com and @googlemail.com are used the same) haven’t shown up in any lists in the past three months (I think the last was the big one in August) so I just wanted to find out what prompted you to reset my password now.

    Of course this is important to me since if you based this reset on my password actually being found in a list, that’s a huge problem. I do use several passwords but I don’t use unique ones for every site. However, if you just based these resets on e-mail addresses alone showing up, that wouldn’t worry me quite as much. What dimple said suggests this. Nevertheless, I’ll try to change the password of as many accounts as I remember for sites I used the same password for as WordPress.

    Merry Christmas anyhow!

  • kokkieh · Staff ·

    but my e-mail (actually in two forms since @gmail.com and @googlemail.com are used the same) haven’t shown up in any lists in the past three months (I think the last was the big one in August) so I just wanted to find out what prompted you to reset my password now.

    The most recent list that came to our attention is described in more detail in this article (which has up-to-date information about the database that was leaked online):
    https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14

    Haveibeenpwned.com is just one of several services we monitor that disclose data from know breaches like this. So your email not being flagged on haveibeenpwned does not necessarily mean it hasn’t been part of any breach.

    Of course this is important to me since if you based this reset on my password actually being found in a list, that’s a huge problem. I do use several passwords but I don’t use unique ones for every site.

    From what I can see, we did only reset passwords on accounts that had passwords matching that list, so it’s possible your password was compromised on another service where you had the same password. As a precaution I’d recommend updating the passwords on all your online accounts, and to make them unique to each account from here on out. If you’re not using one already, a password manager is really the best way to do this.

    Selecting a Strong Password

  • The topic ‘Help with e-mail received from WordPress’ is closed to new replies.