Drupal website hack prompts password reset

Drupal.org falls victim to hackers, resulting in new passwords for users.

Password protection

Hackers have gained unauthorised access to the user names, email addresses and passwords of a number of Drupal.org users.

The open source online content management firm's security and infrastructure team confirmed the website breach in a blog post last night, and stressed that websites running on its platform should not be affected.

Advertisement - Article continues below

We are still investigating the incident and may learn about other times of information compromised, in which case we will notify you accordingly.

"The Drupal.org security team and infrastructure team has discovered unauthorised access to account information on Drupal.org and groups.drupal.org," the blog post states.

"This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself."

The platform itself is used to underpin blogs and enterprise applications, while the groups.drupal.org arm is where its users can congregate to work or receive support for their Drupal-based projects.

The blog post also confirmed that all Drupal.org account holders have had their passwords changed as a precautionary measure.

"Information exposed includes usernames, email addresses, country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other times of information compromised, in which case we will notify you accordingly," the post continued.

Advertisement - Article continues below
Advertisement - Article continues below

The company said it has no information to share at the moment about the identity of the attackers, but assured users it was doing all it can to prevent something similar happening again.

For instance, the company has introduced a number of infrastructure and application changes that have seen it "harden" its Apache web server configurations and introduce an anti-virus scanner that looks for malicious files being uploaded to the Drupal.org servers.

Further to this, it has also advised users to be on their guard against phising attacks in the wake of the hack.

"Beware of emails that threaten to close your account if you do not take the immediate action' of providing personal information," the post added.

"We do not store credit card information, [so] as a precaution we recommend you closely monitor your financial accounts if you made a transaction on association.drugal.org or if you use a password with your financial institution that is similar to your [one for] Drupal.org."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now


ethical hacking

Developer scores $100,000 bounty from Apple for exposing a critical vulnerability

1 Jun 2020

Hackers are wreaking havoc on Google’s Cloud infrastructure

1 Jun 2020

K2View innovates in data management with new encryption patent

28 May 2020

ZLoader malware returns as a coronavirus phishing scam

27 May 2020

Most Popular

network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020