Open source content management platform Drupal has been forced to reset passwords for all user accounts, after some account information was compromised by an unidentified attacker.
The hacker might have accessed usernames, email addresses and passwords for millions of users, but did not obtain any financial information, Drupal said.
Drupal.org and groups.drupal.org were the only websites hit, not the hundreds of thousands of customer sites running on the platform. Holly Ross, executive director at Drupal Association, said that the attack was possible due to a vulnerability in third-party software, and not any shortcomings on behalf of the Drupal team.
Drupal, launched in 2001, is a free platform available under the GNU General Public License. It is used as a back-end system for at least 2.1 percent of all websites worldwide, including everything from government projects like data.gov.uk to media-heavy entertainment portals like MTV UK.
The attacker was able to access usernames, email addresses and customer location information, as well as hashed and salted passwords.
Ross said that the incident is still being investigated, and other types of information might have been compromised. As a precautionary measure, the organisation has reset all passwords. Customers will be able to set new passwords at their next login attempt.
“We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed,” noted Ross. Drupal has also taken steps to prevent similar incidents from happening in the future, like rebuilding production, staging and development webheads, adding GRSEC secure kernels to most servers to provide quick patching, and making anti-virus file scanning a routine task.
“If you find that any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately by sending an email to password@association.drupal.org. We regret this occurred and want to assure you we are working hard to improve security,” added Ross.
Service-wide password resets are standard upon attacks that compromise account information. Earlier this year, Twitter, Evernote and hosting firm Linode all opted to reset passwords following security breaches.
How well do you know Internet security? Try our quiz and find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…