There appears to be an increase in malicious requests performing automated password reset on accounts. These automated requests seem to be requesting password reset for commonly used usernames like admin, moderator, etc.
Triggering a password reset email is not a security risk, directly. Site owners should check all accounts with elevated rights and confirm that the associated email address are correct. This automated attack maybe trying to take advantage of a previously compromised account having its email changed.
In general it is best practice to audit admin level accounts on a regular basis.
- Navigate to the list of people on the site
- Filter the list for those who have additional roles
- Sort the list by last login date. If an account has not logged in recently, security could be improved by revoking the role from that account.
- Review the email address associated with all accounts with elevated roles to confirm it is the right email address.
- Review the usernames, if any are commonly used consider changing them to something unique to the user (e.g. their name) or unique to the site (e.g. admin.example.com).
If you see anything in the list of accounts that makes you think your site has been compromised, consider going through this more exhaustive set of steps to mitigate those issues.
Comments
The Drupal core issue to add
The Drupal core issue to add flood protection on the password reset form is https://www.drupal.org/project/drupal/issues/1681832