Up to 12 Million websites hit by Drupal hack attack

Drupal, software that is utilized by millions of websites may have fallen prey to attackers that took advantage of a bug in the software. Drupal is used to easily manage web content, images, text and video.

According to BBC News, up to 12 million websites may have been compromised by hackers for failing to have a crucial patch prior to the attack. In theory, attackers could have taken all data stored on websites as well as installed backdoors that would allow them to return to the website in the future and collect more data.

Drupal has since issued a statement warning users that anyone that did not apply for a patch for the recently discovered bug should “assume” that they have been hacked. The report states that automated attacks utilized the bug in order to take control of websites. Drupal further added that applying the patch after reading the announcement might nor remove back doors that attackers could have inserted after gaining access to sites.

Drupal instructed sites to investigate whether attackers had gotten away with any of their data.

“Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.”

Mr. Stockley, an analyst at security firm Sophos, states that Drupal should no longer rely on users to apply patches.

“Many site owners will never have received the announcement and many that did will have been asleep. What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.”

Up to 12 Million Sites Could Have Been Compromised

Stockley estimates that around 5.1% of the one billion websites that utilize Drupal needed patching at the time of the automated attack, thus up to 12 million sites could have been compromised. Drupal will likely roll out automatic updates in the future to prevent attacks like this from happening again.

In the past week, we have witnessed several hacking attacks that have targeted large amounts of users. The MCX mobile payment app CurrentC was also hacked this week, resulting in the theft of user email addresses. While CurrentC is still in pilot phases, it has already been hacked. The Web Security of many online databases is not holding up to the skill of hackers. As the amount of consumer data stored online increases exponentially each year, the need for stronger web security is also growing.