They also mentioned the unauthorized access to account information was from a third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. Sites running Drupal are not affected and there’s no evidence that credit card numbers have been intercepted. Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. Drupal have resetted all passwords, which can be seen by users when they are trying to login. Here is how drupal said to reset the password, A user password can be changed at any time by taking the following steps. All Drupal.org passwords are both hashed and salted, although some older passwords on some subsites were not salted. Although there is no evidence that card numbers may have been intercepted, but drupal security team are still investigating the incident. Don’t be a silent user let us know what do you think about it in comments below 🙂