> its portal used by customers to access sensitive data was run on a three-year-old version of Drupal, 7.23<p>Drupal 7.23 is vulnerable to <a href="https://www.drupal.org/SA-CORE-2014-005" rel="nofollow">https://www.drupal.org/SA-CORE-2014-005</a>. Anyone who's ever read a Wikipedia article on SQL injection could have had shell access to that site. As a Drupal core contributor, I've always felt a small irrational amount of guilt for not catching that defect. But today suddenly I feel just a tiny bit better.