Hackers ransacked the servers of Drupal.org, an open source content management platform, to plunder the sensitive information of nearly one million accounts.
Holly Ross, executive director of the Portland, Ore.-based Drupal Association, said a vulnerability in third-party software installed on company servers enabled the intrusion.
The Drupal Association is the nonprofit organization that supports the open source CMS project Drupal, which is not a commercial entity. Drupal software is offered free for download, and is comparable to other popular content management systems like WordPress.
In a Wednesday blog post, Ross said usernames, email addresses, country information, and hashed passwords were exposed in the incident. All passwords were hashed, while only some were salted, an additional security layer where a sequence of symbols is added to passwords before they're hashed.
As a safety measure, the company reset all passwords for its nearly one million accounts.
Ross did not reveal when the breach occurred or the specific software flaw used by the hackers. SCMagazine.com reached out to the Drupal Association on Thursday, but did not immediately hear back.
“Unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself,” Ross wrote in the blog post. “We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed. We are still investigating and will share more detail when it is appropriate.”
Ross advised that users change their passwords for other websites, if they used ones similar to their Drupal.org login.
Credit card information was not stored on the breached servers, which housed data for Drupal.org and groups.drupal.org, the company's site for teams of individuals wanting to organize projects.
To prevent similar breaches like this from happening again, Drupal took tightened security by implementing grsecurity (patches for Linux kernels), hardening its Apache web server configurations, and removing old passwords it previously stored.