Across the intent thousands of websites are running on the Drupal. Reports from a Security researcher Troy Mursch who ran a scan across the whole Internet found over 115000 Drupal websites that were vulnerable to the Drupalgeddon2 flaw (CVE-2018-7600) which became public knowledge in March 2018. This just shows that despite repetitive security warnings some site owner just refuse to take the security around their user date seriously.
The Drupalgeddon2 vulnerability allows an unauthenticated attacker, to remotely execute malicious code on default or standard Drupal installations. The creators of Drupal has advising all website administrators to install security patches since late March. Thousands of website owners have not applied the patch even though it became public knowledge that attackers have been exploiting the vulnerability two weeks after exploit code of Drupalgeddon2 was published online.