Up to 12 million websites are said to have been compromised by attackers who took advantage of a bug in the widely used Drupal software.
Drupal is a tool used to manage web content, images, text and video.
The company issued a warning to say that users that have not applied a patch for a recently discovered bug should "assume" they have been hacked.
Drupal said automated attacks took advantage of the bug and allowed hackers to take control of a sites.
In the "highly critical" announcement Drupal's security team said anyone who did not take action within seven hours of the bug being discovered should "proceed under the assumption" that their site was compromised.
It warned that anyone who had not updated their site should do so immediately.
The team added that simply applying this update may not remove any back doors that attackers have managed to gain access through.
The notice said: "Attackers may have copied all data out of your site and could use it maliciously.
"There may be no trace of the attack." It also provided a link to advice that would help sites recover from being compromised."
Mark Stockley, an analyst at security firm Sophos said the warning was "shocking."
He estimated that up to 5.1% of the billion or so sites on the web use Drupal 7 to manage their content, meaning the number of sites needing patching could be as high as 12 million.
Mr Stockley believes Drupal should not rely on users to apply patches.
He said: "Many site owners will never have received the announcement and many that did will have been asleep.
"What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."
Return to internet news headlines
View Internet News Archive