CMS Joomla Development Group reported about data leakage. The incident occurred due to the fact that one of the members of the Joomla Resources Directory (JRD) team left a full backup copy of the JRD website (resources.joomla.org) in the Amazon Web Services S3 Bucket owned by his own firm.
Joomla engineers write that the backup file was not encrypted and contained information from about 2,700 users who created profiles on the JRD website. On this portal, professionals advertise their skills in creating sites on Joomla.
Currently, Joomla administrators are still investigating the incident, and it is not yet clear if anyone else found this data on the server. If third parties gained access to this backup, they had at their disposal such user data as:
- full name;
- business address;
- work email address;
- work phone number;
- Company website URL
- information on occupation;
- hashed password;
- IP address
- newsletter subscription settings.
In general, the severity of this leak is estimated to be low, because most of this information was already publicly available, but hashed passwords and IP addresses should not be made public.
Now the Joomla team recommends that all JRD users change their passwords on the JRD website, as well as on other sites where the same password was reused. It is also reported that after detecting a backup leak, experts conducted a complete security audit of the JRD portal. The team’s report states that “the audit revealed the presence of superuser accounts belonging to persons not related to Open Source.”