The server hosting the official website of Drupal, the popular content management platform, has been compromised and sensitive user data was accessed by the attackers, the executive director of the Drupal Association revealed in a blog post on Wednesday.
The breach was made possible by the existence of a vulnerability in a third-party software installed on the Drupal.org server infrastructure, Holly Ross shared, and not within Drupal itself.
Consequently, sites running Drupal are safe, and only users who have accounts on the drupal.org and groups.drupal.org websites will be forced to change their passwords. The number of users affected is not stated, but it is reportedly over one million.
“We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed,” Ross wrote. “Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.”
The compromised data includes username, email address, hashed passwords, and country for some users, but she says that they are still investigating the breach so the list might not be complete.
“The passwords are both hashed and salted using multiple rounds of hashing (based on PHPass),” she shared, adding that passwords on some subsites were not salted. The association doesn’t store any credit card information, so it couldn’t have been stolen in this way. Nevertheless, they advise users to monitor their financial accounts if they made a transaction on association.drupal.org or if they use a password with their financial institution that is similar to their Drupal.org password.
As far as the forensic team can tell so far, no projects or Drupal source code have been accessed by the attackers.
To prevent such incidents in the future, the admins have rebuilt production, staging, and development systems, added GRSec secure kernels to most servers, and have hardened their Apache web server configurations. Older subsites and any site that were no longer going to receive feature or content updates have been turned into static archives, and the team plans of adding antivirus scanning to their routine security checks.