Security experts claim that the user database of Drupal.org and groups.drupal.org was hacked.
The hack became possible because of the unpatched vulnerability in the third-party software installed on the server association.drupal.org.
“We have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed. We are still investigating and will share more detail when it is appropriate. Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability”, says the official statement.
As a result of the weakness exploitation hackers were able to get access to users’ information, their email addresses, country of residence and hashed passwords.
Analysts point out that the investigation of the incident continues. It is possible that hackers managed to steal the confidential information of users.
Thus, in order to prevent the future loss of information and the illegal loss of the user credentials the Drupal.org administration advised the users to change their passwords.