Drupal is being hacked. The company has officially announced that unauthorized access is found to be made for user information for Drupal.org and its groups. These accounts are in millions while Drupal yet said that CMS account information is still safe.
Drupal Association Executive Director Holly Ross officially disclosed a statement after initial security audit at their end. It states to undergo certain security measures which are necessary to protect your Drupal.org accounts from mishandling or hacking. The substructure of Drupal was compromised with the installation of third party software. It exposed certain information on Drupal.org website and its subdomain groups.drupal.org. A hacked injection into their system made users vulnerable by exposing the following information;
- Email address
- Password in hash code format. These are stored in PHPass format after multiple hashing techniques. It can be broken with the support of a certain high profile servers with high processing power.
The above mention information can be used to reset password of Drupal.org passwords. And to protect users ED Holly Ross given a detailed press briefing with suggested security checks and measures. This website does not store any sensitive information like address, credit card credential, CVV code.
Holly Ross has recommended for its users to change their .org password. It is a precaution to protect users if somehow hash security is compromised. You need to visit drupal.org site with your credentials. It required email address and username. Ask the server to send a reset password link to your email address. You will receive email in fifteen minutes. Open the email, click on reset URL. It will take you to a URL where you can enter your new password.
Drupal Association has taken the following precautionary steps. But the aforementioned steps are just part of extra measures.
- Whole server set is scanned with antivirus for any sniffer, virus or other malicious programs. The process is still on as I am writing this article. It will remove any extra junctions to the existing file signatures.
- The backend server is Apache. Its configurations are modified to restrict access to certain sensitive files and folders.
- The whole server will now be converted into static content being archived on separate servers just like Google keeps cache. And the websites which are not dynamic will be shifted to static archives too. It will make restoring data and checking modification signatures easy process for security experts.
The security audit is complete on initial stage and yet forensic analysis is pending. There is not proof that core files of Drupal are modified but will soon come to know. The third party software that caused the malicious injection in system is notified and made public about the flaw. Association is not yet clear about the intention or purpose of this act.