Read the official Contao announcements.
Major security hole in the TYPOlight install tool
by Leo Feyer
A major security hole in the TYPOlight install tool has been detected which allows anyone to bypass the password authentication and read the database login credentials and - if the Safe Mode Hack is used - the FTP login credentials. To fix the issue, upgrade to the latest version (2.7.6) or apply one of the patches below!
Which versions are affected
Unfortunately, the issue affects all TYPOlight versions. Only if you have taken additional steps to protect the TYPOlight back end with .htaccess authentication, your installation is safe.
How to fix the vulnerability
If you are using the Live Update Service, upgrade to the latest version (2.7.6). Otherwise download one of the patches below and replace the typolight/install.php and typolight/ftp.php (available from version 2.6).
To additionally harden your installation or if for some reason you cannot upgrade, protect the back end (the typolight folder) via .htaccess. Use FilesMatch to protect only the install tool:
<FilesMatch "(ftp|install)\.php$"> AuthName "TYPOlight back end" AuthType Basic AuthUserFile .htpasswd require valid-user </FilesMatch>
Change your login credentials!
If you did not use .htaccess protection before today, make sure to change your database password and - if you are using the Safe Mode Hack - FTP password!
Check the back end accounts
Since the exploit also allows hackers to create administrator accounts, make sure to check the list of back end users for new or unknown accounts.
If you have any questions, you are welcome to ask in the forum. I apologize for the trouble caused.