The leak did not feature any usernames and passwords. But the bug did send sensitive account tokens to third parties. These account token are basically bits of code which let a user log into an app without having to enter the password each time. The tokens can give malicious actors free access to accounts if intercepted.
WordPress's Android app and self-hosted installations though remained unaffected. The company has written to its customers saying that it had “uncovered an issue with the WordPress iOS application with how it handles security credentials. The company has currently disconnected the accounts which were affected by the bug.”
The company though chose to not reveal the technical details behind the leak. Hence, the scale of the users impacted by the issue is not known. WordPress’s parent company Automattic told in a statement that the first affected version was released in January 2017. And the version 11.9.1 released on March 15, 2019 fixed the security issue. Users are advised to update their iOS apps.