Thursday, May 30, 2013
Drupal.org hacked you need to change passwords
Hacking is associated with vulnerability to third-party software that was installed on the server association.drupal.org, rather than the most vulnerable in the content management system Drupal. So in that sense, users need not worry.
The problem is that by the attackers got the information about users, including usernames, emails are, country of residence (specified at registration) and hashed passwords. Who is going to investigate the incident and you may find that this is a partial list of the compromised information.
For users Drupal.org all the passwords were stored in hashed form with individual salt for each password. Although the attackers were, and hashes, and salt, but they will not be able to quickly decipher much of hashes by comparison with rainbow tables. Each of the hashes should be processed separately.
Some of the old passwords groups.drupal.org and other sites in Drupal 6 hashes stored without the use of salt.
As a precaution, all users are asked to login the next time the system required to change the password on the Drupal.org site and other sites that use the same password.
You can change passwords at https://drupal.org/user/password