WordPress.org 'Password Resets' Due to Compromised 'AddThis, WPtouch, W3 Total Cache' Plugins

WordPress.org reporting that they've noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.'We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory," said the team."We're […]

WordPress.org reporting that they've noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors.

'We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory," said the team.

"We're still investigating what happened, in the meantime as a prophylactic measure we've decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you'll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)," the added.

According to WordPres founder Matt Mullenweg, users who try to log in to WordPress.org will get the following message, "On June 21, 2011, we reset all passwords, so you'll need to request a new one if you haven't already."

Mullenweg tells that WordPress.org itself was not hacked, but that some plugins author accounts were, "There are 15k plugins so happens sometimes. We haven't pissed of LulzSec yet. :)"

Finally, if you use AddThis, WPtouch, or W3 Total Cache, make sure to visit your updates page and upgrade each to the latest version.

[Source: WordPress]