Drupal.org Gets Hacked, Resets All User Passwords

Open source content management platform Drupal has been forced to reset passwords for all user accounts, after some account information was compromised by an unidentified attacker.

The hacker might have accessed usernames, email addresses and passwords for millions of users, but did not obtain any financial information, Drupal said.

Drupal.org and groups.drupal.org were the only websites hit, not the hundreds of thousands of customer sites running on the platform. Holly Ross, executive director at Drupal Association, said that the attack was possible due to a vulnerability in third-party software, and not any shortcomings on behalf of the Drupal team.

Emergency response

Drupal, launched in 2001, is a free platform available under the GNU General Public License. It is used as a back-end system for at least 2.1 percent of all websites worldwide, including everything from government projects like data.gov.uk to media-heavy entertainment portals like MTV UK.

On Wednesday, Drupal’s Security and Infrastructure Teams discovered “unauthorised access” to some of the site’s resources. Shortly after, they shut down the association.drupal.org resource to mitigate the damage.

The attacker was able to access usernames, email addresses and customer location information, as well as hashed and salted passwords.

Ross said that the incident is still being investigated, and other types of information might have been compromised. As a precautionary measure, the organisation has reset all passwords. Customers will be able to set new passwords at their next login attempt.

“We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed,” noted Ross. Drupal has also taken steps to prevent similar incidents from happening in the future, like rebuilding production, staging and development webheads, adding GRSEC secure kernels to most servers to provide quick patching, and making anti-virus file scanning a routine task.

“If you find that any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately by sending an email to password@association.drupal.org. We regret this occurred and want to assure you we are working hard to improve security,” added Ross.

Service-wide password resets are standard upon attacks that compromise account information. Earlier this year, Twitter, Evernote and hosting firm Linode all opted to reset passwords following security breaches.

How well do you know Internet security? Try our quiz and find out!