Drupal.org Hacked, User Details Exposed And Reset

Another day, another big site hacked. 2013 really just hasn’t been a good year for web security.

This time around, the site writing the email that noone wants to write is Drupal.org, home of the popular content management platform, Drupal. Though no exact number was shared, it appears that nearly one million user accounts are affected.

Also affected are the user accounts of groups.drupal.org, a sub-site meant to help Drupal users establish meetup groups in the real world.

Word of the break-in went out this evening, when Drupal began to email affected users.

In an FAQ about the hack on their site, Drupal says that they currently have no idea who might be behind the attack. So far, it seems like the hackers had access to usernames, email addresses, and hashed passwords.

As is par for the course at this point, Drupal has immediately reset the passwords for every user in the system. If you’re one of the million-or-so users on Drupal.org, you’ll need to confirm your email and pick a new password before regaining access.

While you’re at it, you’ll probably want to change your password on any sites where you’ve used a password similar to the one you might’ve used on Drupal.org. While Drupal seems to have done a pretty good job of ensuring that passwords were stored safely (most were both salted and given multiple passes through a hash filter), it’s just good practice. You’d be surprised at how insanely fast password cracking has become.

It’s important to note that this hack affects Drupal.org, the website itself, and is not the result of a vulnerability in Drupal, the CMS. In other words: if you’ve got a Drupal-powered site, don’t freak out. According to Drupal Executive Director Holly Ross, the hackers gained access through an exploit in an unnamed third-party tool that Drupal.org was running on their server.

Also important to note: Drupal says they store no credit card details on their servers, but they’re still making sure there wasn’t any malicious code put in place to quietly intercept’em without them noticing. They’re recommending that anyone who’s made a transaction on Drupal.org keeps an eye on their statements, just in case.