Drupal resets account passwords after detecting unauthorized access
The attack does not affect sites running Drupal software
IDG News Service - Drupal.org has reset account passwords after it found unauthorized access to information on its servers.
The access came through third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal, the open source content management software provider said in a security update late Wednesday on its website.
The information exposed includes user names, email addresses, and country information, as well as hashed passwords. The breach has affected user account data stored on Drupal.org and groups.drupal.org, and not on sites running Drupal software. Drupal.org is the volunteer-run home of the Drupal project, which keeps track of the Drupal code and contributed work, while Drupal Groups is used by the community to organize and plan projects.
Investigations are still going on and Drupal may learn about other types of information that may have been compromised, wrote Holly Ross, executive director of (Drupal Association, which maintains the Drupal.org site.
"We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted," Drupal said in a FAQ. There is also no evidence that Drupal core software or any contributed projects or packages on Drupal.org. were modified by an unauthorized user.
The malicious files, placed on association.drupal.org servers by a third-party application used by that site, were discovered during a security audit. The Drupal Association website was shut down "to mitigate any possible ongoing security issues related to the files." During forensic evaluations by the security team, it was found that user account information had been accessed through the vulnerability.
The third-party application was not identified.
Drupal said it had reset all Drupal.org account holder passwords and is asking users to change their passwords at their next login attempt, as a precautionary measure. It gave guidelines to users to change their passwords.
Drupal currently does not have information on who was behind the attack. It did not immediately respond to requests for more information about the intrusion, including on the number of users affected, which could be around 1 million, according to some estimates.
The open-source group has meanwhile strengthened its security to prevent similar attacks, including by hardening its Apache web server configurations, running an anti-virus scanner routinely to detect malicious files being uploaded to the Drupal.org servers, and adding GRSEC secure kernels to most servers. It also made static archives of end-of-life sites, which will not be updated in the future.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cybercrime and Hacking White Papers | Webcasts