Really sparse on the details. Were the servers accessed due to a vulnerability in WordPress, other PHP or world-accessible code, a server misconfiguration, an "inside job", or what? I think it's important to have a bit more information about the nature of the attack, so that we know if independent WordPress installations are vulnerable and if/when we should reset keys and passwords.
