Drupal resets passwords after hacker breach

Open source content management platform Drupal has reset the passwords for almost one million accounts after hackers breached its systems

Open source content management platform Drupal has reset the passwords for almost one million accounts after hackers breached its systems.

According to the Drupal Association, the breach was the result of an attack that exploited a vulnerability in an undisclosed third-party application.

Drupal said it has confirmed with the supplier of the third-party application that it is a known vulnerability that has been publicly disclosed.

The hack is believed to have exposed user names, email addresses, country information and cryptographically hashed passwords.

However, investigators may learn about other types of information compromised, said Drupal Association executive director Holly Ross in a blog post.

As a precautionary measure, all Drupal.org account holders are required to reset their passwords at their next login attempt.

“On discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files,” wrote Ross.

“The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability,” she said.

Drupal said no credit card information is stored on its site and there is no evidence that card numbers may have been intercepted.

“However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly,” the organisation said.  

Drupal also said there was no evidence to suggest that an unauthorised user modified Drupal core or any contributed projects or packages on Drupal.org.

The organisation emphasised that the breach notice applied specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

Drupal.org administrators have responded by rebuilding production, staging and development systems, and enhancing most servers with grsecurity, a set of security patches for the Linux operating system.

The administrators have also hardened their configuration of the Apache Web server application and added antivirus scanning to their security routine.

Some Dupal.org sub-sites, particularly those with older content, have been converted to static archives so they cannot be updated in the future.

While Drupal has been praised for its transparency over the breach, some users have been calling for the organisation to reveal what third-party application was involved.

Drupal has said that investigations are still underway and it will share more detail when “appropriate”.

Read more on Application security and coding requirements

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.