Drupal hacked, resets passwords after millions of accounts exposed

Passwords for almost one million accounts on the Drupal.org website are being reset after hackers gained unauthorized access to sensitive user data.

Drupal.org is the official website for the popular open-source content management platform. The breach is the result of an attack that exploited a vulnerability in an undisclosed third-party application, not in Drupal itself, Holly Ross, executive director of the Drupal Association, wrote in a blog post published Wednesday. The hack exposed usernames, e-mail addresses, country information, and cryptographically hashed passwords, although investigators may discover additional types of information were compromised.

"Malicious files were placed on association.drupal.org servers via a third-party application used by that site," Ross wrote. "Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability."

There's no indication credit card data was intercepted. There's also no evidence that any unauthorized changes were made to Drupal source code or projects.

Drupal.org administrators have responded by rebuilding production, staging, and development systems and enhancing most servers with grsecurity, a set of security patches for the Linux operating system. The admins have also hardened their configuration of the Apache Web server application and added antivirus scanning to their security routine. Some Dupal.org subsites, particularly those with older content, have been converted to static archives so they can't be updated in the future.

Drupal.org account holders will be required to change their password by visiting this link, entering their username or e-mail address, and following the link included in the e-mail message that follows. Ross also encouraged account holders to change login credentials on other sites that used the same or a similar password used on Drupal.org.

Most of the passwords stored by Drupal.org were both salted and, more importantly, passed through a cryptographic hash function multiple times using the open-source phpass application. Some older passwords weren't salted. If Drupal engineers followed good practices—and there's no indication they didn't—the repeated hash iterations will go a long way to preventing anyone who obtains the data from quickly cracking the hashes and exposing the underlying plaintext that generated them. (Cryptographic salting, which appends unique characters to each password before it's hashed, is also helpful, although people frequently overstate the protection it provides. For much more on password protection see the Ars feature Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”.)

Ross didn't identify the exploited third-party application. Given Drupal.org's use of Apache, it's possible the site was compromised by the same attack that has plagued at least 20,000 other sites in recent weeks. Researchers still don't know how attackers are gaining almost unfettered, "root" access on these servers, but the same backdoor, often known as Linux/Cdorked, more recently started compromising sites that run on the nginx and Lighttpd Web servers too.

The hacks are underscoring the growing vulnerability of websites to serious malware attacks. On Tuesday, evidence emerged that servers running the Ruby on Rails framework were being compromised and made part of a botnet. The attackers in that case were exploiting an extremely critical vulnerability that was patched in early January.

Drupal's front page states there are 967,545 people in 228 countries (speaking 181 languages) using the platform.