DrupalDrupal.org has been hacked, the user base has been compromised

Developers popular platform for web-content management Drupal reported the incident, which resulted in the break-in was committed servers, serving a web-site of the project and a discussion platform groups.drupal.org.

As a result of the attack intruders managed to learn some access to the user Drupal.org, which has about a million accounts, including personal data of users and hashed passwords.

It is reported that the leak is not ruled out other project data, but the parameters of credit card users do not place the broken server, so they are getting into the wrong hands is assessed as unlikely. In theory on a compromised server could be organized logger card numbers showing the interception of such facts were revealed. Also, fear not cause the integrity of the code base Drupal, since it is easy to verify by checking the content of external repositories.

In the announcement emphasizes that hacking was carried out through the exploitation of vulnerabilities in the used third-party software on the server, rather than through a security problem in the platform Drupal. Through which application was implemented hacking is not reported to fix a vulnerability in the software, but apparently it is about a popular system used on many servers.

Hacking has been revealed in the course of the audit server security, which showed the presence of files that are used to upload user base. The process of checking other servers did not show signs of penetration. In order to avoid similar incidents in the future, decided to establish the project’s servers kernel with patches Grsecurity as well as more secure password hashing scheme. The bulk of the password hashes stored in the form of a “salt” (used for hashing module PHPass), but some of the old passwords remain in the database without the “salt.”

In connection with the incident decided to reset all passwords and initiating measures to change their password. Currently, all accounts are locked to unlock access to the user should change the password on a special page of the site (new password will be generated automatically and sent to the email). Users use the same password on multiple sites, it is recommended to change the password and elsewhere.

Main link to news:

https://drupal.org/news/130529SecurityUpdate

Advertisements