Important Security Update: Reset Your Drupal.org Password

15 views
Skip to first unread message

a.san...@gmail.com

unread,
May 30, 2013, 12:29:26 AM5/30/13
to drupa...@googlegroups.com, drup...@googlegroups.com
https://drupal.org/news/130529SecurityUpdate

Posted by holly.ross.drupal on May 29, 2013 at 8:26pm

The Drupal.org Security Team and Infrastructure Team has discovered
unauthorized access to account information on Drupal.org and
groups.drupal.org.

This access was accomplished via third-party software installed on the
Drupal.org server infrastructure, and was not the result of a
vulnerability within Drupal itself. This notice applies specifically
to user account data stored on Drupal.org and groups.drupal.org, and
not to sites running Drupal generally.

Information exposed includes usernames, email addresses, and country
information, as well as hashed passwords. However, we are still
investigating the incident and may learn about other types of
information compromised, in which case we will notify you accordingly.
As a precautionary measure, we've reset all Drupal.org account holder
passwords and are requiring users to reset their passwords at their
next login attempt. A user password can be changed at any time by
taking the following steps.

Go to https://drupal.org/user/password
Enter your username or email address.
Check your email and follow the link to enter a new password.
It can take up to 15 minutes for the password reset email to
arrive. If you do not receive the e-mail within 15 minutes, make sure
to check your spam folder as well.

All Drupal.org passwords are both hashed and salted, although some
older passwords on some subsites were not salted.

See below recommendations on additional measure that you can take to
protect your personal information.
What happened?

Unauthorized access was made via third-party software installed on the
Drupal.org server infrastructure, and was not the result of a
vulnerability within Drupal itself. We have worked with the vendor to
confirm it is a known vulnerability and has been publicly disclosed.
We are still investigating and will share more detail when it is
appropriate. Upon discovering the files during a security audit, we
shut down the association.drupal.org website to mitigate any possible
ongoing security issues related to the files. The Drupal Security Team
then began forensic evaluations and discovered that user account
information had been accessed via this vulnerability.

The suspicious files may have exposed profile information like
username, email address, hashed password, and country. In addition to
resetting your password on Drupal.org, we are also recommending a
number of measures (below) for further protection of your information,
including, among others, changing or resetting passwords on other
sites where you may use similar passwords.
What are we doing about it?

We take security very seriously on Drupal.org. As attacks on
high-profile sites (regardless of the software they are running) are
common, we strive to continuously improve the security of all
Drupal.org sites.

To that end, we have taken the following steps to secure the
Drupal.org infrastructure:

Staff at the OSU Open Source Lab (where Drupal.org is hosted) and
the Drupal.org infrastructure teams rebuilt production, staging, and
development webheads and GRSEC secure kernels were added to most
servers
We are scanning and have not found any additional malicious or
dangerous files and we are making scanning a routine job in our
process
There are many subsites on Drupal.org including older sites for
specific events. We created static archives of those sites.

We would also like to acknowledge that we are conducting an
investigation into the incident, and we may not be able to immediately
answer all of the questions you may have. However, we are committed to
transparency and will report to the community once we have an
investigation report.

If you find that any reason to believe that your information has been
accessed by someone other than yourself, please contact the Drupal
Association immediately by sending an email to
pass...@association.drupal.org. We regret this occurred and want to
assure you we are working hard to improve security.

Thank you,
Holly Ross
Drupal Association Executive Director
Reply all
Reply to author
Forward
0 new messages