Drupal.org Gets Hit With Data Breach, Resets Passwords


Drupal, the popular open-source content management system used by hundreds of thousands of blogs and websites, has reset the passwords of its Drupal.org users following a data security breach of the company's servers.

The company's security team is still investigating the incident and hasn't yet determined the scope of the problem, according to a message to Drupal users posted on its forum announcement page. User account data stored on Drupal.org and groups.drupal.org had been exposed in the breach, wrote Holly Ross, executive director of the Drupal Association. The exposed data included usernames, email addresses and hashed passwords.

"We would also like to acknowledge that we are conducting an investigation into the incident, and we may not be able to immediately answer all of the questions you may have," Ross wrote. "However, we are committed to transparency and will report to the community once we have an investigation report."

A scan for additional malware following the initial discovery has not detected any other issues, Ross said. Attackers targeted a known, publicly disclosed vulnerability in third-party software installed on the Drupal.org server infrastructure. It was not a result of a vulnerability within Drupal.

The company did not disclose when it discovered the breach. Drupal rebuilt its production, staging and development servers using kernel security software provided by Grsecurity. The organization's Apache Web server configurations were hardened. Drupal engineers also created static archives of older content to prevent tampering and removed old passwords on "sub-sites and non-production installations."

"No evidence to suggest that an unauthorized user modified Drupal core or any contributed projects or packages on Drupal.org," Ross wrote. "Software distributed on Drupal.org is open source and bundled from publicly accessible repositories with log histories and access controls."

The Drupal breach is another in a long line of exposed user account data at social networks and other websites. In April, e-commerce startup Living Social revealed a data security breach. The firm reset the passwords of at least 50 million of its users after it found malware on its internal servers. Twitter, Tumblr and Pinterest users were impacted by a data security breach at third-party customer service provider Zendesk. And millions of usernames and passwords were exposed last year in a breach at social networking site LinkedIn.

The user account security problem stems from the increasing value of stolen usernames and passwords, according to the 2013 Verizon Data Breach Investigations Report. Financially motivated cybercriminals, hacktivists and nation-state-driven targeted attackers use stolen account credentials to become valid users on corporate networks, increasing their chances of evading detection and getting out with stolen data. The report found that the majority of the more than 600 data breaches it analyzed used stolen credentials, among other techniques.

PUBLISHED MAY 30, 2013