Passwords for almost one million accounts on the Drupal.org website are being reset after hackers gained unauthorized access to sensitive user data.
Drupal.org is the official website for the popular open-source content management platform. The breach is the result of an attack that exploited a vulnerability in an undisclosed third-party application and not in Drupal itself, according to Holly Ross, executive director of the Drupal Association, in a blog post published Wednesday. The hack exposed usernames, e-mail addresses, country information, and cryptographically hashed passwords, although investigators may discover additional types of information were compromised.
"Malicious files were placed on association.drupal.org servers via a third-party application used by that site," Ross wrote. "Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability."