Drupal.org Gets Hacked, Resets All User Passwords

Open source content management platform Drupal has been forced to reset passwords for all user accounts, after some account information was compromised by an unidentified attacker.

The hacker might have accessed usernames, email addresses and passwords for millions of users, but did not obtain any financial information, Drupal said.

Drupal.org and groups.drupal.org were the only websites hit, not the hundreds of thousands of customer sites running on the platform. Holly Ross, executive director at Drupal Association, said that the attack was possible due to a vulnerability in third-party software, and not any shortcomings on behalf of the Drupal team.

Emergency response

Drupal, launched in 2001, is a free platform available under the GNU General Public License. It is used as a back-end system for at least 2.1 percent of all websites worldwide, including everything from government projects like data.gov.uk to media-heavy entertainment portals like MTV UK.

On Wednesday, Drupal’s Security and Infrastructure Teams discovered “unauthorised access” to some of the site’s resources. Shortly after, they shut down the association.drupal.org resource to mitigate the damage.

The attacker was able to access usernames, email addresses and customer location information, as well as hashed and salted passwords.

Ross said that the incident is still being investigated, and other types of information might have been compromised. As a precautionary measure, the organisation has reset all passwords. Customers will be able to set new passwords at their next login attempt.

“We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed,” noted Ross. Drupal has also taken steps to prevent similar incidents from happening in the future, like rebuilding production, staging and development webheads, adding GRSEC secure kernels to most servers to provide quick patching, and making anti-virus file scanning a routine task.

“If you find that any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately by sending an email to password@association.drupal.org. We regret this occurred and want to assure you we are working hard to improve security,” added Ross.

Service-wide password resets are standard upon attacks that compromise account information. Earlier this year, Twitter, Evernote and hosting firm Linode all opted to reset passwords following security breaches.

How well do you know Internet security? Try our quiz and find out!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

40 mins ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

3 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

5 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

20 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

23 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago