Administrators for the project say that userdata such as Names, Password hashes, and email addresses were likely exposed by unauthorized access from 3rd-party software installed on the drupal.org servers.

It should be said that this only affects the Drupal.org and Groups.drupal.org websites; it does NOT affect websites based on the Drupal software library.

I've rated this as a Level Three Attack because Drupal.org and related sites are congregation points for a large number of software developers - if this had progressed as a watering hole attack, all of the software and servers that those developers were working on could have been at risk. As it stands, the names/email addresses/password hashes are said to have been exposed, so hopefully the developers were practicing proper password handling. For their part, the Drupal.org security team says that the majority of the leaked passwords were salted.

If you haven't gotten into the habit of using a Password Manager program and generating unique passwords for every site you use, now would be a good time to start that process.

Related Links

• Drupal.org: Important Security Update: Reset Your Drupal.org Password