Welcome to WebmasterWorld Guest from 54.196.244.45

Forum Moderators: ergophobe

Message Too Old, No Replies

Change your drupal.org passwords

     
11:33 pm on May 29, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 26, 2002
posts:810
votes: 0


Unauthorized access to account information was discovered on Drupal.org and groups.drupal.org.

From drupal.org/news/130529SecurityUpdate

What happened?

Malicious files were placed on association.drupal.org servers via a third-party application used by that site. Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.
3:32 am on May 30, 2013 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 95


Thanks for the heads up - this is why I use random auto-generated passwords on most sites. If someone cracks my password, it's only for one site.
3:19 pm on May 30, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:Mar 30, 2006
posts:1377
votes: 51


Thanks, I got the email.

I understand the problem is not related to Drupal but to the accounts we might have at Drupal.org, so Drupal installs are safe as yesterday or a week ago.
3:52 pm on May 30, 2013 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14624
votes: 88


Oh look, they're jealous of all the WordPress hacks and had to go get one for themselves!
5:54 pm on May 30, 2013 (gmt 0)

Junior Member

5+ Year Member

joined:May 8, 2006
posts:144
votes: 0


@ergophobe you and me both, buddy!
6:09 am on May 31, 2013 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 95


"Drupal installs are safe"

True, this is not news about a vulnerability in Drupal per se, but that does not imply that Drupal installs are safe or unsafe, merely that the Drupal.org website got hacked in some unknown way.

As in "Bob crashed his Ford because he was drunk, so my car is safe." Maybe, maybe not ;-)
8:26 pm on June 2, 2013 (gmt 0)

Full Member

10+ Year Member

joined:Jan 5, 2003
posts:202
votes: 0


I understand the problem is not related to Drupal but to the accounts we might have at Drupal.org, so Drupal installs are safe as yesterday or a week ago.


One thing that I really like about drupal is how well the security team and other members of the community communicate issues.