Drupal resets account passwords after detecting unauthorised access

The attack does not affect sites running Drupal software

Drupal.org has reset account passwords after it found unauthorized access to information on its servers.

The access came through third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal, the open source content management software provider said in a security update late Wednesday on its website.

The information exposed includes user names, email addresses, and country information, as well as hashed passwords. The breach has affected user account data stored on Drupal.org and groups.drupal.org, and not on sites running Drupal software. Drupal.org is the volunteer-run home of the Drupal project, which keeps track of the Drupal code and contributed work, while Drupal Groups is used by the community to organize and plan projects.

Investigations are still going on and Drupal may learn about other types of information that may have been compromised, wrote Holly Ross, executive director of (Drupal Association, which maintains the Drupal.org site.

"We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted," Drupal said in a FAQ. There is also no evidence that Drupal core software or any contributed projects or packages on Drupal.org. were modified by an unauthorized user.

The malicious files, placed on association.drupal.org servers by a third-party application used by that site, were discovered during a security audit. The Drupal Association website was shut down "to mitigate any possible ongoing security issues related to the files." During forensic evaluations by the security team, it was found that user account information had been accessed through the vulnerability.

The third-party application was not identified.

Drupal said it had reset all Drupal.org account holder passwords and is asking users to change their passwords at their next login attempt, as a precautionary measure. It gave guidelines to users to change their passwords.

Drupal currently does not have information on who was behind the attack. It did not immediately respond to requests for more information about the intrusion, including on the number of users affected, which could be around 1 million, according to some estimates.

The open-source group has meanwhile strengthened its security to prevent similar attacks, including by hardening its Apache web server configurations, running an anti-virus scanner routinely to detect malicious files being uploaded to the Drupal.org servers, and adding GRSEC secure kernels to most servers. It also made static archives of end-of-life sites, which will not be updated in the future.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is john_ribeiro@idg.com

Tags intrusionDrupal.orgsecuritydata breachmalware

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John Ribeiro

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?