Drupal made "highly critical" announcement, Drupal's security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should "should proceed under the assumption" that their site was compromised.
It was highly disturbing to listen that almost all sites could have been compromised because of this issue. Security updates should be manually done for Drupal which became biggest drawback for existing websites.
Drupal security team came up with patch to secure the backdoor reported in this bug. In September 2014 the security team get a report of the bug from SektionEins, a German company who discovered it while auditing a client site.
They found problem in code at: /includes/database/database.inc. This backdoor gave hackers access to module which helped them to modify users and permissions for site. This module was deleted form Drupal 8.
Some investigators pointed figures at Russian hackers who used to interface with different CMS attacks. These Hackers were intended to install backdoors to site and remain unnoticed.
W3Techs estimate that 65% of Drupal sites are using Drupal 7.Fews popular sites as well as some government sites where under attack which didn’t survive in later stage.
Drupal 8 will mark a change in terms of security level for sites.