![]() (Cryptographic salting, which appends unique characters to each password before it's hashed, is also helpful, although people frequently overstate the protection it provides. If Drupal engineers followed good practices-and there's no indication they didn't-the repeated hash iterations will go a long way towards preventing anyone who obtains the data from quickly cracking the hashes and exposing the underlying plaintext that generated them. Most of the passwords stored by were both salted and, more importantly, passed through a cryptographic hash function multiple times using the open-source phpass application. ![]() Ross also encouraged account holders to change login credentials on other sites that used the same or a similar password used on. Advertisementĭ account holders will be required to change their password by visiting this link, entering their username or e-mail address, and following the link included in the e-mail message that follows. Some subsites, particularly those with older content, have been converted to static archives so they can't be updated in the future. The admins have also hardened their configuration of the Apache Web server application and added antivirus scanning to their security routine. There's also no evidence that any unauthorized changes were made to Drupal source code or projects.ĭ administrators have responded by rebuilding production, staging, and development systems and enhancing most servers with grsecurity, a set of security patches for the Linux operating system. There's no indication credit card data was intercepted. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability." "Upon discovering the files during a security audit, we shut down the website to mitigate any possible ongoing security issues related to the files. "Malicious files were placed on servers via a third-party application used by that site," Ross wrote. The hack exposed usernames, e-mail addresses, country information, and cryptographically hashed passwords, although investigators may discover additional types of information were compromised. The breach is the result of an attack that exploited a vulnerability in an undisclosed third-party application and not in Drupal itself, according to Holly Ross, executive director of the Drupal Association, in a blog post published Wednesday. ![]() Passwords for almost one million accounts on the website are being reset after hackers gained unauthorized access to sensitive user data.ĭ is the official website for the popular open-source content management platform.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |