Drupal.org Gets Hacked, Resets All User Passwords

Open source content management platform Drupal has been forced to reset passwords for all user accounts, after some account information was compromised by an unidentified attacker.

The hacker might have accessed usernames, email addresses and passwords for millions of users, but did not obtain any financial information, Drupal said.

Drupal.org and groups.drupal.org were the only websites hit, not the hundreds of thousands of customer sites running on the platform. Holly Ross, executive director at Drupal Association, said that the attack was possible due to a vulnerability in third-party software, and not any shortcomings on behalf of the Drupal team.

Emergency response

Drupal, launched in 2001, is a free platform available under the GNU General Public License. It is used as a back-end system for at least 2.1 percent of all websites worldwide, including everything from government projects like data.gov.uk to media-heavy entertainment portals like MTV UK.

On Wednesday, Drupal’s Security and Infrastructure Teams discovered “unauthorised access” to some of the site’s resources. Shortly after, they shut down the association.drupal.org resource to mitigate the damage.

The attacker was able to access usernames, email addresses and customer location information, as well as hashed and salted passwords.

Ross said that the incident is still being investigated, and other types of information might have been compromised. As a precautionary measure, the organisation has reset all passwords. Customers will be able to set new passwords at their next login attempt.

“We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed,” noted Ross. Drupal has also taken steps to prevent similar incidents from happening in the future, like rebuilding production, staging and development webheads, adding GRSEC secure kernels to most servers to provide quick patching, and making anti-virus file scanning a routine task.

“If you find that any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately by sending an email to password@association.drupal.org. We regret this occurred and want to assure you we are working hard to improve security,” added Ross.

Service-wide password resets are standard upon attacks that compromise account information. Earlier this year, Twitter, Evernote and hosting firm Linode all opted to reset passwords following security breaches.

How well do you know Internet security? Try our quiz and find out!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago