WordPress managed hosting service WP Engine has been breached in an attack that has exposed user credentials.

The firm was made aware of the hack on the 9th December 2015, and yesterday updated customers saying that there "was an active, on-going investigation, including federal law enforcement" as well as an external security firm, and therefore the firm is limited in what it can say publicly.

WPEngine contacted customers telling them to change their passwords for the WP Engine User Portal, SFTP, riginal WP-Admin Account, and Password Protected Installs and Transferable Installs. Users’ WordPress Databse passwords need changing too, but WP Engine deals with this.

It is not yet clear who is behind the attack, or by what methods it was carried out. It is severely embarrassing for WP Engine though, which says it is for "hosting for mission critical sites".

WordPress , a popular blogging platform and CMS, has itself recently been exposed as having vulnerabilities.