Content management system software developer Drupal is recommending that its customers reset their Drupal.org passwords after it was discovered that account information on its servers had been compromised.
In an announcement posted on its site, the company noted that its attacker gained access via third-party software, and not due to any vulnerability in Drupal's software itself. The third-party software has not been disclosed. Only accounts on drupal.org and groups.drupal.org have been potentially compromised. Customers running their own instances of Drupal should not be affected.
The information that Drupal believes was exposed includes usernames, email addresses, country information, and hashed passwords. Passwords were also salted in most cases, but Drupal notes that some older passwords were not.
After exploiting a vulnerability in the third-party application, Drupal's attackers uploaded files to the association.drupal.org server, which Drupal detected during a routine security audit. The server was subsequently shut down and a resulting investigation found that users' account information had been accessed.
A further internal investigation is currently being carried out by Drupal Association staff and trusted volunteer security experts from its community. At this point, it has said there is no information to share on who may have been behind the attack.
To prevent a repeat incident, Drupal has undertaken a number of security measures. These include completely rebuilding its production, staging and development servers; hardening its web server configurations; and converting some of its sites to static copies to reduce the chance of attack on any systems that might later become outdated.