Drupal Association announced that approximately 1 million user passwords were compromised from drupel.org website. The compromise was due to third-party software installed on the drupal.org server; it was not due to a vulnerability on Drupal itself. Two percent of all websites are running Drupal, and should not be affected by the data breach—this breach is at the user level. Drupal.org account holders will be required to change their passwords. http://alrt.co/15WQHCG
Takeaway: Your security posture is only as strong as your weakest link. Even if your own software may be well architected and protected by proper authentication and authorization, you need to pay equal attention to all other vendor’s components that are installed.