Drupal.org and groups.drupal.org Hacked via Third-Party App, login credentials of users compromised
According to an announcement from one of the Drupal representative The Drupal security Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org.
They also mentioned the unauthorized access to account information was from a third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself.
Sites running Drupal are not affected and there’s no evidence that credit card numbers have been intercepted.
Information exposed includes usernames, email addresses, and country information, as well as hashed passwords.
Drupal have resetted all passwords, which can be seen by users when they are trying to login.
Here is how drupal said to reset the password,
A user password can be changed at any time by taking the following steps.
- Go to https://drupal.org/user/password
- Enter your username or email address.
- Check your email and follow the link to enter a new password.
- It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.
All Drupal.org passwords are both hashed and salted, although some older passwords on some subsites were not salted.
Although there is no evidence that card numbers may have been intercepted, but drupal security team are still investigating the incident.
Don’t be a silent user let us know what do you think about it in comments below 🙂