Hack strikes Drupal.org community

Malicious software has exposed user information stored on Drupal.org and groups.drupal.org, but the sites' eponymous content management system was not harmed. Sites running Drupal generally are not at risk, either. 

The data bared includes usernames, email addresses, and country information, encrypted passwords, and possibly other as-yet-undetermined details, Holly Ross, Drupal Association executive director, wrote in a May 29 notice posted on the organization's main site. 

"We are still investigating the incident and may learn about other types of information compromised," she stated.

All Drupal.org account passwords have been revoked and users of the open source software site are required to create new passwords the next time they log in. The malware snuck in through a flaw in an unnamed third-party software program that was located on the association's website server. The incident "was not the result of a vulnerability within Drupal itself," Ross emphasized. 

She added, "We have no evidence to suggest that an unauthorized user modified Drupal core or any contributed projects or packages on Drupal.org."

Personnel recently discovered the suspicious activity during a security audit.