According to a post on WordPress’ blog, Automattic [which runs the WordPress blogs] had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
They have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. They presume their source code was exposed and copied. While much of their code is Open Source, there are sensitive bits of their and their partners’ code. Beyond that, however, it appears information disclosed was limited.
Read the full article posted by WordPress: WordPress Announces Security Incident