Drupal data breach exposes data of 1 million users

By Pierluigi Paganini, Editor-in-Chief, CDM

Jun 04, 2013, 03:30 pm EST

A Drupal data breach was announced by the official Drupal Association, Drupal hit by a large-scale data violation that could have exposed data for nearly one million accounts.

The news has been provided by The Drupal Association with an official notice, the security of the open source content management system has been compromised, as countermeasure it is resetting the passwords for nearly one million accounts in the wake of a data breach.

Unknown hackers have exploited a known vulnerability in a third-party software that was installed on the Drupal.org server infrastructure to access to the system, The Drupal.org hasn’t revealed the name of the third-party application exploited during the attack.

Evidence of the Drupal data breach was found during a routine security audit:

“Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files,” “The Drupal security team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.”

“The Drupal.org Security Team and Infrastructure Team have discovered unauthorized access to account information on Drupal.org and groups.drupal.org.

This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.”

The Drupal data breach is considerably really serious about user’s security, an impressive amount of web sites is based on the popular content management, according the official notice information exposed for almost one million accounts includes usernames, email addresses, and country information, as well as hashed passwords.

The Drupal.org Security Team confirmed the “unauthorized access” to their system, highlighting that there’s no evidence that any information was actually stolen. As a precautionary measure was requested all users to reset their passwords at their next login attempt.

Holly Ross, Executive Director for Drupal Association confirmed that they are investigating on the incident that could have exposed also other info:

“We are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly,”

The attacks to Open Source CMS solutions are not an isolated cases due their large diffusion, in the past Joomla and WordPress platforms were hit and used to spread malicious code, WordPress recently was hit by a massive “brute-force” attack by botnet composed by almost 100,000 bots.


It’s easy to predict that this kind of attacks is likely to increase for the large-diffusion of these platforms which makes them privileged targets.

(Source: CDM & Security Affairs – Hacking)

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.