The distributors of the popular open-source content-management framework Drupal are resetting the passwords of nearly 1 million user accounts after hackers gained unauthorized entry to sensitive user data, including email addresses and encrypted passwords.
The Portland, Ore.-based Drupal Association said yesterday (May 29) it had detected the breach during a security audit, and found that attackers had installed malicious software on its website, drupal.org, that allowed other files to snoop through account information.
In a blog posting, Drupal Association executive director Holly Ross said that despite the virtual break-in, the attackers did not seem to have changed any Drupal code, nor did they have access to users’ credit-card information.
“As a precautionary measure, we’ve reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt,” Ross wrote.
The thousands of websites that run on Drupal software — estimated at 2 percent of all sites — should not be affected by the data breach.
In response to the attack, Drupal.org has made significant security improvements. The association also eliminated weaknesses by making dormant sites static and removing old passwords on sub-sites.
Ross did not specify when the breach occurred. She cautioned users to be suspicious of phishing emails that sought to take advantage of the confusion with bogus threats to shut down accounts.
You may have never heard of Drupal, but there’s a good chance you’ve been on a website that uses it. The open-source platform is reportedly used by nearly 1 million developers around the world, and Drupal.org names WhiteHouse.gov and Economist.com as two prominent websites that use the software.