Open source content management platform Drupal has been forced to reset passwords for all user accounts, after some account information was compromised by an unidentified attacker.
The hacker might have accessed usernames, email addresses and passwords for millions of users, but did not obtain any financial information, Drupal said.
Drupal.org and groups.drupal.org were the only websites hit, not the hundreds of thousands of customer sites running on the platform. Holly Ross, executive director at Drupal Association, said that the attack was possible due to a vulnerability in third-party software, and not any shortcomings on behalf of the Drupal team.
Drupal, launched in 2001, is a free platform available under the GNU General Public License. It is used as a back-end system for at least 2.1 percent of all websites worldwide, including everything from government projects like data.gov.uk to media-heavy entertainment portals like MTV UK.
The attacker was able to access usernames, email addresses and customer location information, as well as hashed and salted passwords.
Ross said that the incident is still being investigated, and other types of information might have been compromised. As a precautionary measure, the organisation has reset all passwords. Customers will be able to set new passwords at their next login attempt.
“We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed,” noted Ross. Drupal has also taken steps to prevent similar incidents from happening in the future, like rebuilding production, staging and development webheads, adding GRSEC secure kernels to most servers to provide quick patching, and making anti-virus file scanning a routine task.
“If you find that any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately by sending an email to password@association.drupal.org. We regret this occurred and want to assure you we are working hard to improve security,” added Ross.
Service-wide password resets are standard upon attacks that compromise account information. Earlier this year, Twitter, Evernote and hosting firm Linode all opted to reset passwords following security breaches.
How well do you know Internet security? Try our quiz and find out!
Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…
Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…
OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…
New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…
US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…
Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…