Home / Info Sec / Drupal.org is hacked, user details exposed and passwords are resetted
drupal is hacked

Drupal.org is hacked, user details exposed and passwords are resetted


This means no computer system is really secure. Another big site is hacked just hours ago.

I received an email 8 hours ago but its just this time that I open my e-mail. Then an email subject catches me, “Important Security Update: Reset your Drupal.org Password.”

Drupal.org, the home of one of the worlds most popular content management system is hacked!

According to the email, unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within the Drupal software itself.

Also affected of the breach is groups.drupal.org a sub site that helps Drupal users establish meetup groups all over the world.

Drupal however cited, not the Drupal software itself is affected.

Information exposed includes usernames, email addresses, and country information, as well as hashed passwords.


” All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org were not salted,” the email added.

Part of security measure, Drupal then resetted the passwords of all users in the system.

Drupal then urge users to make passwords stronger and neglect emails asking for personal information.

* Do not use passwords that are simple words or phrases
* Never use the same password on multiple sites or services
* Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

Second, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spamIt is not our practice to request personal information by . email. Also, beware of emails that threaten to close your account if you do not take the “immediate action” of providing personal information.

Full email reads:

Dear community member,


We respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about an incident that involves your personal information. The Drupal.org Security and Infrastructure Teams have discovered unauthorized access to account information on Drupal.org and groups.drupal.org. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.

This unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within the Drupal software itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

We have implemented additional security measures designed to prevent the recurrence of such an attack, and to protect the privacy of our community members.

The next time you attempt to log into your account, you will be required to create a new password.

Below are steps you can take to further protect your personal information online. We encourage you to take preventative measures now to help prevent and detect the misuse of your information.

First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are stored salted and hashed. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org were not salted. To make your password stronger:

* Do not use passwords that are simple words or phrases
* Never use the same password on multiple sites or services
* Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).


Second, be cautious if you receive emails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by email. Also, beware of emails that threaten to close your account if you do not take the “immediate action” of providing personal information.

For more information, please review the security announcement and FAQ at https://drupal.org/news/130529SecurityUpdate. If you find any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately, by sending an email to [email protected].

We regret that this incident has occurred and want to assure you we are working hard to improve security.

Thank you,
Holly Ross
Drupal Association Executive Director

 

About Clifford Trigo

Hi there! I am Clifford Trigo from the island of Bohol, come over here and lets have fun! :3 Just keep reading :D