Hackers hit the open source content management platform Drupal and captured nearly one million accounts.
The non-profit organization Drupal Association supports the open source CMS project, which as it turns out had an issue with a vulnerability in third-party software installed on company servers, said Holly Ross, executive director of the Drupal Association, in a blog post. Drupal said it worked with the vendor to confirm the known vulnerability and it has gone through a public disclosure.
She confirmed the information exposed included user names, email addresses and country information, as well as hashed passwords.
“However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly,” she said.
“As a precautionary measure, we’ve reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt. All Drupal.org passwords are both hashed and salted, although some older passwords on some sub-sites were not salted.”
Ross said at the moment, Drupal had not found any additional malicious or dangerous files, and it was making scanning a routine job in its process.
As has been said in the past, organizations need to fully audit and understand all of their applications, including third-party apps to safeguard the data and privacy of their users.”