Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 29 Oct 2017 14:00:36 +0100
From: Hanno Böck <>
Subject: Drupal backup_migrate information leak (was Fw: Database
 mishandling at

This comes down to a severe design flaw in how drupal handles private

The doc for the module contains a warning, however it leads to a dead

Begin forwarded message:

Date: Fri, 27 Oct 2017 23:55:52 -0400
Subject: Database mishandling at

Dear supporter,

On Wednesday, October 25th, we received an email letting us know that
an old Drupal database backup file was publicly accessible on, a site operated by the Free Software
Foundation. This backup file contained contact information and other
details that should not have been public, submitted from 2007-2012.
You are receiving this message because the file included this email
address, possibly linked with other details listed below. We believe
it has been publicly accessible since 2012, though unadvertised, and
until recently, not indexed by search engines.

Within minutes of receiving the report, we removed the file and
started auditing and the rest of our sites.

The file did not contain any passwords or password hashes, financial
information, mailing addresses, or information about users who
interacted with the site without ever logging in. While it is
certainly possible, we have seen no evidence that the file was
accessed by anyone other than the reporter and the search crawler, nor
republished anywhere else.

The file did include (from both real and spambot users' profiles):

  * ~28,000 email addresses;
  * user and contact names;
  * some IP addresses associated with comments on posts;
  * ~200 phone numbers;
  * some preferred language settings;
  * some information users shared about whether they participated in a
    particular campaign action (like a call-in), and
  * timestamps of users submitting data.

While some of this information was intended by users to be public,
some of it definitely was not.

I am deeply and personally sorry for this mistake. We know how
important your privacy is to you; we fight on your behalf every day
against restrictive and invasive technologies that threaten it.

We also don't believe in covering up our mistakes, so I wanted to let
you know as soon as possible that you were affected -- shortly after
we had finished our initial audit to make sure we understood the full
extent of the problem and fixed the most urgent issues.

Even though we are a small team, under pressure to move fast against
extremely large forces, this kind of mistake is absolutely
unacceptable. We have made many improvements in our security practices
since 2012, and in light of this failure will be taking a deeper look
at what else we need to do.

If you have any follow-up questions, please email us at
<>, and CC me at <>.

On behalf of everyone here: We are sorry.

Thank you,  
John Sullivan  
Executive Director  

P.S. If you are a Drupal site administrator using the backup-migrate
module, make sure to check your configuration settings to ensure
backup files are private. In just a few minutes of searching, we found
others who are making the same mistake we did.

* Follow us at <>. 
* Subscribe to our RSS feeds at <>.
* Join us as an associate member at <>.

Sent from the Free Software Foundation,

51 Franklin St, Fifth Floor
Boston, Massachusetts 02110-1335

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.