Security Experts:

Drupal Forces Password Resets After Breach Discovery

Drupal.org, home to one of the Web’s most popular Content Management System (CMS) platforms, has issued an alert to community members and reset all account passwords after their infrastructure and security teams discovered malicious files on a server.

According to the notice posted on Wednesday, the Drupal.org Security Team discovered malicious files on association.drupal.org servers, which were placed there by attackers who targeted a third-party application used by that site. Drupal stressed that the incident doesn’t reflect any sort of vulnerability with the Drupal platform itself.

The malicious files discovered may have exposed user information stored on Drupal.org and groups.drupal.org, including usernames, email addresses, and country information, as well as hashed passwords. As a precaution, Drupal has reset all account passwords, and users will be forced to change them on their next login. Credit card information is not stored by Drupal, the organization said, and they have seen no evidence that suggest that such details were intercepted by the attackers.

“However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly,” they said.

Drupal said that while all of the latest stored passwords are salted and hashed, a process that makes cracking them extremely difficult assuming the attackers didn’t have access to the salts, some older passwords on groups.drupal.org were not salted.

Their advisory also warns users to “be cautious” should they receive e-mails asking for personal information and “be on the lookout for unwanted spam.” Likewise, users should be immediately suspicious of emails that threaten account closures for failure to take immediate action to provide personal information.

At present, there have been no reports online or by Drupal of people seeing such emails.

“We would also like to acknowledge that we are conducting an investigation into the incident, and we may not be able to immediately answer all of the questions you may have. However, we are committed to transparency and will report to the community once we have an investigation report,” the advisory adds.

In addition to password resets, Drupal said they also they hardened Apache configurations, and created static copies of sites that were no longer going to receive feature or content updates to minimize maintenance.

Additional details are available here

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.