The Drupal Association is urging all users of Drupal.org and groups.drupal.org to reset their passwords after discovering an intrusion that breached files holding usernames, e-mail addresses, countries and hashed passwords.
Sites that run on Drupal do not appear to be impacted, though the organization stressed an ongoing forensic review may reveal more details and victims. It also does not appear that intruders manipulated any Drupal code stored within the site.
The breach was found during a security audit and involved an exploit in vulnerable third-party software installed on association.drupal.org servers that allowed malicious files to rummage through account information. No credit card information was accessed, according to Drupal Association Executive Director Holly Ross.
“As a precautionary measure, we’ve reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt,” she said in a message on the Web site. Most of those passwords were both hashed and salted with multiple rounds of the open-sourced PHPass application. Those credentials used to access subsites may not have had the additional protection.
As soon as the malicious files were discovered, a security team shut down the association.drupal.org site for further analysis.
Teams from the Drupal Association and the OSU Open Source Lab, where Drupal.org is hosted, then rebuilt production, staged and developed webheads. They also added Linux-based grsecurity kernels to most servers, ran additional AV scans and hardened configurations for its Apache Web server. Additionally, they converted older, dormant sites to static, archived copies and removed old passwords on sub-sites and non-production installations.
The association says a team of experts that includes trusted community members is working around the clock to detect and mitigate any further evidence of foul play. The open source content management platform is said to be used by a little more than 965,000 developers in 228 countries.
Ross did not say when the breach may have occurred or identify the vendor with the vulnerability. She cautioned users to be wary of “emails that threaten to close your account if you do not take the ‘immediate action’ of providing personal information.”
And although sites running Drupal are not believed to be at risk, she said it’s a good idea for those sites also to follow best practices and monitor Drupal security notices related to the open-sourced software.