Drupal.org has reset account passwords after it found unauthorized access to information on its servers.
The access came through third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal, the open source content management software provider said in a security update late Wednesday on its website.
The information exposed includes user names, email addresses, and country information, as well as hashed passwords. The breach has affected user account data stored on Drupal.org and groups.drupal.org, and not on sites running Drupal software. Drupal.org is the volunteer-run home of the Drupal project, which keeps track of the Drupal code and contributed work, while Drupal Groups is used by the community to organize and plan projects.
Investigations are still going on and Drupal may learn about other types of information that may have been compromised, wrote Holly Ross, executive director of (Drupal Association, which maintains the Drupal.org site.
“We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted,” Drupal said in a FAQ. There is also no evidence that Drupal core software or any contributed projects or packages on Drupal.org. were modified by an unauthorized user.
The malicious files, placed on association.drupal.org servers by a third-party application used by that site, were discovered during a security audit. The Drupal Association website was shut down “to mitigate any possible ongoing security issues related to the files.” During forensic evaluations by the security team, it was found that user account information had been accessed through the vulnerability.
The third-party application was not identified.
Drupal said it had reset all Drupal.org account holder passwords and is asking users to change their passwords at their next login attempt, as a precautionary measure. It gave guidelines to users to change their passwords.
Drupal currently does not have information on who was behind the attack. It did not immediately respond to requests for more information about the intrusion, including on the number of users affected, which could be around 1 million, according to some estimates.
The open-source group has meanwhile strengthened its security to prevent similar attacks, including by hardening its Apache web server configurations, running an anti-virus scanner routinely to detect malicious files being uploaded to the Drupal.org servers, and adding GRSEC secure kernels to most servers. It also made static archives of end-of-life sites, which will not be updated in the future.