"Malicious files were placed on association.drupal.org servers via a third-party application used by that site," Drupal Association executive director Holly Ross stated in an announcement on the site. "Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability."
According to Ross, the information exposed includes user names, hashed passwords, e-mail addresses and country information, though the investigation is still ongoing and it's possible other information may have been exposed as well.
As a precaution, all Drupal.org account holder passwords have been reset.
"We would also like to acknowledge that we are conducting an investigation into the incident, and we may not be able to immediately answer all of the questions you may have," Ross added.
Anyone who believes their information has been accessed by a third party is asked to contact firstname.lastname@example.org.