The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org.
This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.
Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we are asking all users to reset their passwords at their next login attempt. A user password can be changed at any time by taking the following steps.
All passwords on Drupal.org are stored in an hashed format. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org and other Drupal 6 sites were not salted.
See below recommendations on additional measure that you can take to protect your personal information.
Malicious files were placed on association.drupal.org servers via a third-party application used by that site. Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.
The suspicious files may have exposed profile information like username, email address, hashed password, and country. In addition to resetting your password on Drupal.org, we are also recommending a number of measures (below) for further protection of your information, including, among others, changing or resetting passwords on other sites where you may use similar passwords.
We take security very seriously on Drupal.org. As attacks on high-profile sites (regardless of the software they are running) are common, we strive to continuously improve the security of all Drupal.org sites.
To that end, we have taken the following steps to secure the Drupal.org infrastructure:
We would also like to acknowledge that we are conducting an investigation into the incident, and we may not be able to immediately answer all of the questions you may have. However, we are committed to transparency and will report to the community once we have an investigation report.
If you find that any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately by sending an email to [email protected]. We regret this occurred and want to assure you we are working hard to improve security.
Thank you,
Holly Ross
Drupal Association Executive Director
The Drupal.org Security Team and Infrastructure Team has identified unauthorized access to user information on Drupal.org and groups.drupal.org, which occured via third-party software installed on the Drupal.org server infrastructure.
The information includes username, email address, hashed passwords, and country for some users. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.
We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly.
We have no evidence to suggest that an unauthorized user modified Drupal core or any contributed projects or packages on Drupal.org. Software distributed on Drupal.org is open source and bundled from publicly accessible repositories with log histories and access controls.
This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally. However, we recommend that you follow best practices and follow any security notices from Drupal.org or third party integrations to keep your site safe. Resources include the following sites:
Unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. We are still investigating and will share more detail when it is appropriate.
There have been several infrastructure and application changes including:
At this point there is no information to share.
We have a forensics team made up of both Drupal Association staff and trusted community volunteers who are security experts working on the issue around the clock.
Passwords on Drupal.org are stored in a hashed format. Currently, passwords are both hashed and salted using multiple rounds of hashing (based on PHPass). Passwords on some subsites were not salted.
The Drupal Association is responsible for maintaining the site, with the assistance of many trusted Drupal community volunteers.
First, we recommend as a precaution that you change or reset passwords on other sites where you may use similar passwords, even though all passwords on Drupal.org are salted and hashed. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org were not salted. To make your password more secure:
Second, be cautious if you receive e-mails asking for your personal information and be on the lookout for unwanted spam. It is not our practice to request personal information by e-mail. Also, beware of emails that threaten to close your account if you do not take the “immediate action” of providing personal information.
Although we do not store credit card information, as a precaution we recommend you closely monitor your financial accounts if you made a transaction on association.drupal.org or if you use a password with your fianancial institution that is similar to your Drupal.org password. If you see unauthorized activity (in the U.S.), we also suggest that you submit a complaint with the Federal Trade Commission (“FTC”) by calling 1-877-ID-THEFT (1-877-438-4338) or online at http://ftccomplaintassistant.com. Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies.
Based on the results of the investigation into this incident, we may update the FAQs and may recommend additional measures for protecting your personal information.