Joomla team revealed a security breach which occurred last week when a member of the Joomla Resources Directory (JRD) team accidentally left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket owned by their own company.
The backup file which includes details of around 2,700 users who registered and created profiles on the JRD website was not encrypted.
Joomla is an open source content management system (CMS), a web-based application used to build and manage self-hosted websites.
JRD website is a portal where professionals advertise their Joomla site-making skills. Joomla is currently the third-most used CMS on the internet
The Joomla admins are still investigating the incident and they are not sure whether anybody has already spotted and downloaded the data from the third-party company’s S3 server.
The data that could have been exposed include details such as full name, business address, business email address, business phone number, company URL, nature of business, encrypted password (hashed), IP address and newsletter subscription preferences
Since the JRD portal acts as a directory for Joomla professionals, most of the information is available to the public already and so the severity of this breach is considered low. However, hashed passwords and IP addresses were not made public.
All the JRD users are advised to change their password on the JRD portal. The team also advises those users who have used the same password on other sites to change those as well to avoid credential stuffing attack.
The Joomla team on being aware of the accidental leak of the JRD site backup immediately performed a full security audit of the JRD portal.
The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters.