According to the Drupal Association, the breach was the result of an attack that exploited a vulnerability in an undisclosed third-party application.
Drupal said it has confirmed with the supplier of the third-party application that it is a known vulnerability that has been publicly disclosed.
The hack is believed to have exposed user names, email addresses, country information and cryptographically hashed passwords.
However, investigators may learn about other types of information compromised, said Drupal Association executive director Holly Ross in a blog post.
As a precautionary measure, all Drupal.org account holders are required to reset their passwords at their next login attempt.
“On discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files,” wrote Ross.
“The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability,” she said.
Drupal said no credit card information is stored on its site and there is no evidence that card numbers may have been intercepted.
“However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly,” the organisation said.
Read more on password security
- Can a password blacklist improve general enterprise password security?
- Protecting against modern password cracking
- Google proposes alternative to passwords
- UK banks hit by password bypassing malware, says Trusteer
- Adjust security policies to combat Windows password hint attacks
- Password security best practices: Change passwords to passphrases
- Forgot your password? Fido Alliance works on authentication alternatives
- Chapter excerpt: Defending the enterprise from password hacking
- IT industry group releases password-killing standard
- Security Zone: Passwords: Help users discover what is available!
Drupal also said there was no evidence to suggest that an unauthorised user modified Drupal core or any contributed projects or packages on Drupal.org.
The organisation emphasised that the breach notice applied specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.
Drupal.org administrators have responded by rebuilding production, staging and development systems, and enhancing most servers with grsecurity, a set of security patches for the Linux operating system.
The administrators have also hardened their configuration of the Apache Web server application and added antivirus scanning to their security routine.
Some Dupal.org sub-sites, particularly those with older content, have been converted to static archives so they cannot be updated in the future.
While Drupal has been praised for its transparency over the breach, some users have been calling for the organisation to reveal what third-party application was involved.
Drupal has said that investigations are still underway and it will share more detail when “appropriate”.