Drupal.org sees account info compromised, asks users to reset passwords

Drupal.org sees account info compromised, asks users to reset passwords

The Drupal Association reported today that an individual or a group of them gained “unauthorized access” to account information stored on its Drupal.org and groups.drupal.org sites. The organization blamed malicious code uploaded through third-party software and says that while user information was exposed, no credit card information was stolen. Additionally, those sites running Drupal generally have not been affected.

The association is asking all users to reset their passwords out of caution.

Holly Ross, the Drupal Association’s Executive Director, said that during the course of a security audit, the group noticed malicious files on its servers and shut down its association.drupal.org website to “mitigate any possible security issue related to the files.” It was during the course of its forensic audit that Drupal discovered user information had been disclosed.

The company believes that profile information such as username, email address, hashed passwords, and country may have been revealed. The association says that it has taken the following steps to bolster its infrastructure security:

  • Staff at the OSU Open Source Lab (where Drupal.org is hosted) and the Drupal.org infrastructure teams rebuilt production, staging, and development webheads and GRSEC secure kernels were added to most servers
  • We are scanning and have not found any additional malicious or dangerous files and we are making scanning a routine job in our process.
  • There are many subsites on Drupal.org including older sites for specific events. We created static archives of those sites.

Ross says that she doesn’t know when the hack occurred and that while passwords may have been compromised, they are stored in a hashed format and “salted using multiple rounds of hashing (based on PHPass).” Subsite passwords are not hashed, however.

For those with projects hosted on Drupal.org, Ross says that there’s no evidence to suggest an unauthorized user “modified Drupal core or any contributed project projects or packages on Drupal.org.” Furthermore, all software is open source and bundled from “publicly accessible repositories with log histories and access controls.”

Drupal.org is the website dedicated towards the Drupal project, a free and open-source content management framework. The site is the keeper of all Drupal code, contributed projects, and also publishes news, organization information, training resources, and more related to the software. It’s estimated that nearly 1 million people help power Drupal.

Photo credit: Sean Gallup/Getty Images

Read next: Pinterest's Ben Silbermann on turning his collection hobby into a product and not making money