Drupal Users Urged to Change Their Passwords

Today Drupal Association Executive Director Holly Ross sent out a massive email to all drupal.org users urging them to change their passwords as a precautionary measure against a recent security incident.

Drupal.org’s security and infrastructure teams discovered unauthorized access to sensitive user account information including, email address, usernames, country information and hashed passwords.

Additional security measures have already been implemented to prevent this type of attack from happening again.  Members logging in will be required to change their password.

Holly Ross stated in her email

This unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within the Drupal software itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.

Here are a few simple steps that are being recommended when creating a new password:

• Do not use passwords that are simple words or phrases
• Never use the same password on multiple sites or services
• Use different types of characters in your password (uppercase letters, lowercase letters, numbers, and symbols).

They are also recommending that you change your password on any sites where you may use the same username, or password.

For more information, please review the security announcement and FAQ at https://drupal.org/news/130529SecurityUpdate. If you find any reason to believe that your information has been accessed by someone other than yourself, please contact the Drupal Association immediately, by sending an email to password@association.drupal.org