Up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software.
In its "highly critical" announcement, Drupal's security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should "should proceed under the assumption" that their site was compromised.
