Drupal Resets Passwords After Breach

Drupal.org has reset all account passwords after discovering that intruders had gained unauthorized access to information on its servers.

The Drupal.org security team says it has discovered unauthorized access to Drupal.org and groups.drupal.org account information which has exposed user names, country, and email addresses along with hashed passwords. No credit card information was stored on the servers, but the investigation is ongoing and the team says it “may learn about other types of information compromised”. According to Drupal.org, there are over 967,000 registered users on the Drupal.org.

The security team has reset all passwords on the systems and is advising all users that, to regain access, they will need to reset their password by going to https://drupal.org/user/password, entering their username or email address there and waiting for a password reset email. The site says these emails will take up to an hour to arrive due to the “current load”. The passwords stored on Drupal.org should be hashed and salted, the administrators say, but “some older passwords on some subsites were not salted”.

According to the advisory, unspecified third-party software installed on the Drupal.org servers was compromised and the breach was not due to a vulnerability in the Drupal software. The compromise was uncovered in the course of a security audit, during which a number of files were discovered which were apparently used to expose the user account information. The Drupal team are in contact with the developer of the third-party software to ensure that the problem is fixed and disclosed.

The Drupal.org administrators are working with the OSU Open Source Lab, who host Drupal.org, and are rebuilding production, staging and development servers and installing GRSEC secure kernels on most of them. They will now be routinely scanning for other malicious and dangerous files and say that, so far, they have not found any. Finally, older Drupal.org subsites for specific events have been converted to static archives.

The exposure of salted and hashed passwords is more of an issue these days as advances in password cracking through rainbow tables, crowd sourcing or cloud-based crackers makes it more likely that passwords will, eventually, be revealed. Users should ensure their passwords are not made up of words or phrases, ensure a good mix of character types in their passwords and use different passwords on different sites so that, if one site is compromised, it doesn’t expose them on all the sites they use. Administrators should look at using stronger encryption for passwords to ensure their security.


About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: