Maintainers at the Joomla open-source content management system (CMS) announced a security breach that took place last week.

Last week a member of the Joomla Resources Directory (JRD) team left an unencrypted full backup of the JRD site (resources.joomla.org) on an unsecured Amazon Web Services S3 bucket operated by the company.

The company did not reveal is third-parties have found and accessed to the S3 bucket.

“JRD full site backups (unencrypted) were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former Team Leader, still Member of the JRD team at the time of the breach.” reads the data breachnotification. “Known to the current Team Leader at the time of the breach. (https://volunteers.joomla.org/teams/resource-directory-team) Each backup copy included a full copy of the website, including all the data.”

The backup contained details for approximatively 2,700 users who registered and created profiles on the JRD website.

The Joomla Resources Directory portal allows professionals and developers to advertise their services.

Joomla team is investigating the data leak said they are still investigating the incident. It is currently unclear if anyone found and download the data from the third-party company’s S3 server.

Board

The Joomla team also carried out a full security audit of the portal.

“The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters,” continues the notification.

Data contained in the backup includes :

  • Full name
  • Business address
  • Business email address
  • Business phone number
  • Company URL
  • Nature of business
  • Encrypted password (hashed)
  • IP address
  • Newsletter subscription preferences

The data breach notification states that most of the data was public, because it was a public directory, anyway private data (unpublished, unapproved listings, tickets) was exposed in the breach.

The Joomla team is urging JRD users to change their password on the JRD portal and on other sites where they share the login credentials.

“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.” concludes the notification.

Pierluigi Paganini