At this particular point in time, they do not know whether any passwords/credentials have been compromised, but their source code (both their Open Source code, and private code that some users, like their VIP blogs, were using) was exposed, and while they're not straight out recommending people change their passwords, they're hinting that it would be a good idea.
Also, folks who have linked their WP.com and FB/Twitter accounts may want to de-link them, to be on the safe side.
