Yesterday Drupal.org (Also used as a Back-end system of Whitehouse.gov) hacked this is confirmed by Drupal itself in their News & Announcement section section under FAQ.
It is still unknown that who was behind this hack and according to Drupal their Security Team and Infrastructure Team has identified unauthorized access to user information on Drupal.org and groups.drupal.org, which occurred via third-party software installed on the Drupal.org server infrastructure.
In the Drupal breach some confidential info of users have been stolen including passwords.
Still Drupal think that Hashed Passwords are secure but it seems that they never tried to search on Google about Hash Cracker.
What has been hacked from Drupal Server?
- Email address
- Hashed passwords
- Country for some users
Drupal also stated some important info for users:
- Was my credit card information exposed? – We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted.
- Were projects or hosted drupal.org code altered? – We have no evidence to suggest that an unauthorized user modified Drupal core or any contributed projects or packages on Drupal.org. Software distributed on Drupal.org is open source and bundled from publicly accessible repositories with log histories and access controls.
Drupal Users can change their passwords with the following steps:
- Go to https://drupal.org/user/password
- Enter your username or email address.
- Check your email and follow the link to enter a new password.
*It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.
Drupal is also used as a back-end system for at least 2.1% of all the websites worldwide ranging from personal blogs to corporate, political and government sites including whitehouse.gov and data.gov.uk.