In a significant data breach, the Drupal Association has announced that passwords for nearly one million accounts on its Drupal.org platform will be reset. This action was initiated after hackers gained unauthorized access to sensitive user data, raising serious concerns regarding cybersecurity within the open-source content management system.
The intrusion occurred through compromised third-party software installed on the Drupal.org server infrastructure, rather than exploiting a vulnerability within the Drupal system itself. This distinction is crucial as it highlights the risks associated with third-party dependencies in software environments. To mitigate potential fallout from this breach, the organization is proactively resetting user passwords as a security measure.
The types of data at risk comprise usernames, email addresses, and country information, alongside hashed passwords. However, the identity of the exploited third-party application has not been disclosed by the Drupal.org team.
Evidence of the breach was discovered during a routine security audit:
“Upon discovering the compromised files during a security audit, we promptly shut down the association.drupal.org website to prevent further security issues stemming from this incident,” stated the Drupal security team. Forensic analyses revealed that user account information had indeed been accessed through this vulnerability.
The Drupal Security and Infrastructure Teams confirmed unauthorized access to account information on both Drupal.org and groups.drupal.org. They stressed that this breach is specific to user account data on their platforms and does not extend to other sites operating on Drupal.
The significance of the Drupal data breach is amplified by the fact that a substantial number of websites rely on this popular content management system, which constitutes approximately 2% of all sites online. While the breach specifically affects Drupal.org users, it does not appear to compromise the broader community of Drupal users.
Despite confirming unauthorized access to their systems, the Drupal.org Security Team has emphasized that there is currently no evidence indicating that any personal data was actually stolen. Nevertheless, as a precautionary approach, all users have been instructed to reset their passwords during their next login attempt.
Holly Ross, Executive Director of the Drupal Association, has indicated that the organization is continuing its investigation into the incident, which may uncover additional types of exposed information, prompting further notifications to affected users.
Attacks on open-source CMS solutions are not unprecedented. High-profile cyber incidents have historically impacted platforms like Joomla and WordPress, demonstrating a trend where widely-used frameworks attract malicious actors. A recent example includes a large-scale brute-force attack on WordPress, executed by a botnet consisting of nearly 100,000 bots.
As cyber threats continue to evolve, this recent incident serves as a reminder of the vulnerabilities inherent in widely deployed software platforms. Drupal.org account holders will need to change their passwords by either entering their username or email address and following the password reset instructions they receive via email.