Users of Drupal.org, the community site for the open source content management system, have had their passwords reset after the site's administrators found evidence that it was hacked.

In a security announcement published last night, Holly Ross, executive director of the Drupal Association, said that the organisation's web servers had been infected by malware, which led to "unauthorised access" to user account information.  

Compromised information includes usernames, email addresses and encrypted passwords. 

The vulnerability that allowed the hackers to access the information related to "third party software" installed on the Drupal.org servers, not the Drupal CMS itself, Ross said. The infection was discovered during a routine security audit.

“We do not store credit card information on our site and have uncovered no evidence that card numbers may have been intercepted,” said Ross. "However, we are still investigating the incident and may learn about other types of information compromised."

The site's operators have reset all Drupal.org user passwords and are requiring users to change their passwords at their next login attempt.

The Drupal Association said it is were taking steps to strengthen its security, which include installing the GRSEC security enhancements to the Linux kernel and "hardening" their Apache web server configurations. The association.drupal.org website was shut down last night as an immediate response to the threat.