If you are the admin of a Drupal 6 or Drupal 7 website you have likely received a password reset email that you did not request. This is caused by a bot (really multiple bots) hitting the password reset form and triggering the emails to the main admin user (user 1).
When a password reset is requested in Drupal a backdoor is created by design into Drupal. That backdoor is the password reset url. The url is publicly available. Thus, if you (or the hackers) can guess the password reset URL you’d gain full control of the site. The difficulty of guessing the url is high but not impossible. It is much harder than a brute force attack on the actual login url. However, the reset urls are not controlled by flood protection by default. This allows the attacker to try an endless number or urls without being blocked. This is true for at least a 24 hour period until the url expires.
There is another possibility that there is an unknown leak of the reset url. Given the high number of reset requests this is entirely possible.
This issue is being discussed on the Drupal community board here: https://www.drupal.org/project/drupal/issues/2939720
Brad Anderson is the Founder and CEO of Fruition. Brad’s focus is supporting Fruition’s team to enable sustainable growth and excellent client satisfaction (EBITDA growth). With a strong statistical background, Brad built Fruition’s in-house software that is used to manage client success.
President & Founder, Tru Family Dental
Marketing, Dependable Cleaners
President, Frame Destination
President & Founder, Family Travel Association