Drupal.org compromised – 967,659 users and (hashed) passwords stolen

The Drupal.org Security Team and Infrastructure Team has discovered unauthorized access to account information on Drupal.org and groups.drupal.org.

Information exposed includes usernames, email addresses, and country information, as well as hashed passwords. However, we are still investigating the incident and may learn about other types of information compromised, in which case we will notify you accordingly. As a precautionary measure, we’ve reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt. A user password can be changed at any time by taking the following steps.

Go to https://drupal.org/user/password
Enter your username or email address.
Check your email and follow the link to enter a new password.
It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.

Using the same password for different websites is a very bad idea, and you should avoid it as much as you can. Security tips regarding passwords can be found in our newsletter here: http://bfblogg.wpengine.com/blog/2013/03/08/basefarm-sirt-newsletter-2013-03-08/

More information: https://drupal.org/news/130529SecurityUpdate