Now would be a good time to update your account profile, if you’re a WordPress user (along with the credentials for any service you have connected to your WordPress profile)
According to Mullenweg, the break-in was limited but proprietary information could have been accessed:
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners' code. Beyond that, however, it appears information disclosed was limited.
Update: According to Automattic, this break-in "affects most of Automattic's services [...] Root level access potentially allows access to everything on the servers."