Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2013-05-30 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Drupal.org & group.drupal.org password disclosure

Published: 2013-05-30
Last Updated: 2013-05-30 04:12:54 UTC
by Mark Hofman (Version: 1)
5 comment(s)

The Drupal security teams have identified a breach in the environment that has disclosed passwords.  As their notification here --> https://drupal.org/news/130529SecurityUpdate  states most of the passwords were salted and hashed, older passwords were not (although common practice is to store the salt value in the same table as the password, so that might not actually help much).  According to the update they are still investigating what else may have been accessed.  If you have one of those accounts happy password changing.  If you use that password anywhere else (and of course you don't) you might want to change that whilst you are at it.  

From the perspective of letting people know I must say I'm quite impressed.  They notified fairly early on, they provide some details of the incident, steps to take, actions they are taking.  From the breach notifications I have seen recently this is one of the more complete and useful ones.  

Cheers

Mark H

Keywords:
5 comment(s)
Diary Archives