14 DAY TRIAL // A vulnerability in third-party software installed on the Drupal.org server infrastructure has allowed cybercriminals to gain access to account information from drupal.org and groups.drupal.org.
According to an announcement from Drupal representatives, the incident isn’t a result of a vulnerability in Drupal itself and sites running the Drupal content management system should not be impacted.
However, the attackers have managed to access usernames, email addresses, hashed passwords and country information. The passwords are said to be hashed and salted, but not all of them. Some of the older passphrases on some subsites are not salted.
It’s uncertain which encryption algorithm has been utilized to protect the passwords, but the Drupal accounts of impacted users should be safe because the company has decided to reset the passwords.
On the other hand, customers who use the same passphrase to protect other accounts are advised to change those as well.
The attackers have leveraged the third-party software vulnerability to plant malicious files on the Drupal.org server infrastructure. The files in question were discovered during a security audit.
For the time being, Drupal representatives believe that only usernames, email addresses, password hashes and country details have been compromised, but the investigation into the matter is ongoing, so the Drupal Security Team might discover that other information has been exposed as well.
The company emphasizes that there’s no evidence to suggest that the attackers have modified core, or contributed projects or packages on Drupal.org.
Sites running Drupal are not affected and there’s no evidence that credit card numbers have been intercepted. The website doesn’t store any credit card information.
However, users who have made transactions on association.drupal.org or those who utilize the same password for their online banking accounts are advised to closely monitor their financial records.
Regarding the attackers’ identities, Drupal representatives say they have nothing to share at this point.
To prevent future incidents, several changes have been made to the infrastructure and applications.