Joomla team discloses data breach

Joomla says a team member left an unencrypted backup of the JRD portal on a private AWS S3 bucket.

Joomla

Image: Joomla team

The team behind the Joomla open source content management system (CMS) announced a security breach last week.

The incident took place after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket owned by their own company.

The Joomla team said the backup file was not encrypted and contained details for roughly 2,700 users who registered and created profiles on the JRD website -- a portal where professionals advertise their Joomla site-making skills.

Joomla admins said they are still investigating the incident. It is currently unclear if anyone found and download the data from the third-party company's S3 server.

Data that could have been exposed in the case someone found and downloaded the backup includes details such as:

  • Full name
  • Business address
  • Business email address
  • Business phone number
  • Company URL
  • Nature of business
  • Encrypted password (hashed)
  • IP address
  • Newsletter subscription preferences

The severity of this breach is considered low, as most of this information was already public, as the JRD portal serves as a directory for Joomla professionals. However, hashed passwords and IP addresses were not meant to be public.

The Joomla team is now recommending that all JRD users change their password on the JRD portal, but also on other sites where they reused the password, as accounts on these sites could be under the threat of a credential stuffing attack if attackers manage to crack the users' passwords.

The Joomla team said that once it learned of this accidental leak of the JRD site backup, they also carried out a full security audit of the JRD portal.

"The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters," the Joomla team said in a breach disclosure published last Thursday.

Joomla devs said they took action by removing the Super User accounts and disabling all user accounts that did not log in after January 1, 2019.

Joomla is a content management system (CMS), a web-based application that's used to build and manage self-hosted websites. It is currently the third-most used CMS on the internet. It was passed for the second spot by Shopify, this month.