How to correctly handle a security breach – Drupal.org
I just got an e-mail from Drupal.org – they have found out that somebody had unauthorized access to user data at drupal.org and groups.drupal.org. They are still investigating, however they would like to have every member of the community to change his/her password.
Let’s see the exact case:
The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org.
This access was accomplished via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. This notice applies specifically to user account data stored on Drupal.org and groups.drupal.org, and not to sites running Drupal generally.
Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we are asking all users to reset their passwords at their next login attempt. A user password can be changed at any time by taking the following steps.
- Go to https://drupal.org/user/password
- Enter your username or email address.
- Check your email and follow the link to enter a new password.
- It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.
All passwords on Drupal.org are stored in an hashed format. All Drupal.org passwords are both hashed and salted, although some older passwords on groups.drupal.org and other Drupal 6 sites were not salted.
I think that’s the proper way to handle a data breach – close the hole as fast as you can, notify everyone as soon as possible, then investigate.
For more information visit: