Drupal resets account passwords after detecting unauthorized access
The attack does not affect sites running Drupal software
IDG News Service - Drupal.org has reset account passwords after it found unauthorized access to information on its servers.
The access came through third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal, the open source content management software provider said in a security update late Wednesday on its website.
The information exposed includes user names, email addresses, and country information, as well as hashed passwords. The breach has affected user account data stored on Drupal.org and groups.drupal.org, and not on sites running Drupal software. Drupal.org is the volunteer-run home of the Drupal project, which keeps track of the Drupal code and contributed work, while Drupal Groups is used by the community to organize and plan projects.
Investigations are still going on and Drupal may learn about other types of information that may have been compromised, wrote Holly Ross, executive director of (Drupal Association, which maintains the Drupal.org site.
"We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted," Drupal said in a FAQ. There is also no evidence that Drupal core software or any contributed projects or packages on Drupal.org. were modified by an unauthorized user.
The malicious files, placed on association.drupal.org servers by a third-party application used by that site, were discovered during a security audit. The Drupal Association website was shut down "to mitigate any possible ongoing security issues related to the files." During forensic evaluations by the security team, it was found that user account information had been accessed through the vulnerability.
The third-party application was not identified.
Drupal said it had reset all Drupal.org account holder passwords and is asking users to change their passwords at their next login attempt, as a precautionary measure. It gave guidelines to users to change their passwords.
Drupal currently does not have information on who was behind the attack. It did not immediately respond to requests for more information about the intrusion, including on the number of users affected, which could be around 1 million, according to some estimates.
The open-source group has meanwhile strengthened its security to prevent similar attacks, including by hardening its Apache web server configurations, running an anti-virus scanner routinely to detect malicious files being uploaded to the Drupal.org servers, and adding GRSEC secure kernels to most servers. It also made static archives of end-of-life sites, which will not be updated in the future.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts