Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By nnewton on
On Tuesday, November 3rd, it was discovered that scratchvm.drupal.org, used for
testing Drupal infrastructure upgrades, was compromised by a brute force attack
on a weak account password. The attacker was NOT able to achieve root access to
the server. However, to ensure the continued security of user accounts, the
Infrastructure Team has revoked passwords for Drupal CVS accounts and for
Infrastructure Team members.
If you do not have CVS access, and are not a member of the Drupal Infrastructure
Team, YOU MAY IGNORE THIS EMAIL. Likewise, if you have a CVS account which is no
longer in use, you can ignore this email and your account will remain securely
locked out.
CVS Account Passwords
A mirror of the Drupal CVS repository was stored on the compromised server. This
included secure hashes of CVS passwords. While it is extremely unlikely that CVS
accounts could be compromised, passwords have been revoked as a precaution.
To reset your CVS account password:
- Log in to your user account at http://drupal.org/
- Click on "My account" in the navigation block.
- Click the "Edit" tab for your account.
- Click the "CVS" sub-tab under "Edit".
- Enter a new password, and click "Save".
- Wait AT LEAST 30 MINUTES before attempting to use your CVS account. This time is needed for the CVS server to synchronize your password.
If you cannot access your CVS account after following these steps, please file a
support request in the Drupal infrastructure issue queue:
http://drupal.org/project/issues/infrastructure
Drupal Infrastructure Team Passwords
Stored Subversion credentials are stored in clear-text, and were potentially
exposed to the attacker. By default, your username and password would be stored
for any protected subversion server accessed from scratchvm, such as
svn.drupal.org.
While it is unlikely that the attacker accessed Subversion passwords, in order
to protect your account, infrastructure.drupal.org passwords have been revoked.
To reset your Infrastructure Team password:
- Browse to https://infrastructure.drupal.org/user/password
- Enter your user name or email address.
- Follow the instructions sent to your email to use the one-time login link.
- Reset your password with a different password then what you previously used.
- If you have Subversion access, WAIT AT LEAST 30 MINUTES before accessing your Subversion account. This time is needed for the Subversion server to synchronize your password.
If you cannot access your Subversion account after following these steps, please file a support request in the Drupal infrastructure issue queue:
http://drupal.org/project/issues/infrastructure
Users of scratchvm.drupal.org
If you accessed a protected SVN server other than svn.drupal.org, or used other
programs which saved passwords in clear-text, it is recommended that you change
your password for those services.
