The free open-source content management system Drupal has reset all Drupal.org passwords after unknown attackers gained access to user account data including usernames, email addresses and hashed passwords.
The Drupal Association said that sites running Drupal - which account for around 2% of websites worldwide, including websites such as The White House, The Economist and Examiner.com - were not affected.
The warning “applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally,” Drupal Association executive Director Holly Ross said in a blog post.
“This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself,” Ross said.
Ross said that the hack involved a known vulnerability, and said more information would be published when appropriate.
“Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we've reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt.”
Ross also advised, “changing or resetting passwords on other sites where you may use similar passwords.”
