The Drupal.org security team says it has discovered unauthorised access to Drupal.org and groups.drupal.org account information which has exposed user names, country, and email addresses along with hashed passwords. No credit card information was stored on the servers, but the investigation is ongoing and the team says it "may learn about other types of information compromised".According to Drupal.org, there are over 967,000 registered users on the Drupal.org.
The security team has reset all passwords on the systems and is advising all users that, to regain access, they will need to reset their password by going to https://drupal.org/user/password, entering their username or email address there and waiting for a password reset email. The site says these emails will take up to an hour to arrive due to the "current load". The passwords stored on Drupal.org should be hashed and salted, the administrators say, but "some older passwords on some subsites were not salted".
According to the advisory, unspecified third-party software installed on the Drupal.org servers was compromised and the breach was not due to a vulnerability in the Drupal software. The compromise was uncovered in the course of a security audit, during which a number of files were discovered which were apparently used to expose the user account information. The Drupal team are in contact with the developer of the third-party software to ensure that the problem is fixed and disclosed.
The Drupal.org administrators are working with the OSU Open Source Lab, who host Drupal.org, and are rebuilding production, staging and development servers and installing GRSEC secure kernels on most of them. They will now be routinely scanning for other malicious and dangerous files and say that, so far, they have not found any. Finally, older Drupal.org subsites for specific events have been converted to static archives.
The exposure of salted and hashed passwords is more of an issue these days as advances in password cracking through rainbow tables, crowd sourcing or cloud-based crackers makes it more likely that passwords will, eventually, be revealed. Users should ensure their passwords are not made up of words or phrases, ensure a good mix of character types in their passwords and use different passwords on different sites so that, if one site is compromised, it doesn't expose them on all the sites they use. Administrators should look at using stronger encryption for passwords to ensure their security: a feature article on The H – Storing passwords in uncrackable form – provides guidance on how to do this.