Joomla open-source content management system suffers a security incident that revealed personal details of customers
The member of the Joomla Resources Directory team left the unencrypted full backup of the JDR site on a nonsecured Amazon Web Services S3 bucket operated by the third-party company. This data breach impacted more than 2,700 users who have accounts on the Joomla.org site. According to the company this security issue came to light ruling the internal website audit that indicated the member of the team and the exposed backup.
Most of the data was public, since users submitted their data with the intent of being included into a public directory. Private data (unpublished, unapproved listings, tickets) was included in the breach.
The investigation is still ongoing, so the company expects to have more specific information later on. Right now, the site is suspended temporarily, and it is known that business addresses, full names, email addresses, and even encrypted passwords got exposed during this breach. The third-party company involved was reached and asked to delete the data, but it is not clear if any party accessed the unencrypted backup and obtained the information.
Exposure of personal data revealed during the internal website audit
Even though the company has no evidence about the data access it is recommended for the customers to change passwords immediately for security reasons as a precautionary measure. The possible consequence of this breach can be that thrid-party or a malicious actor accessed these personal details:
- full name;
- business address;
- business email address;
- phone number;
- URL of the company;
- encrypted/hashed passwords;
- nature of the business;
- IP address;
- newsletter subscription preferences.
The severity of this breach is considered to be low because the bigger part of the data was public already since the JRD portal serves as a directory for Joomla professionals. But making IP addresses and hashed passwords public was not indented.
The possible impact of the breach to individuals
Since payment data or other credentials related to financial information were not exposed, you shouldn't be afraid of financial losses or different activities related to losses of such information and funds. Also, reputational information like activities or sensitive information regarding discrimination or identity theft were not stored on the database that got exposed. Details about driver’s license numbers, social security numbers, mother’s maiden name was not included in the database.
The overall risk classification of the breach is low, but his incident can lead to fraud or identity theft, but data regarding peoples' habits related to marketing and advertising was automatically supplied to the public database, so this information is automatically public and can be accessible.
The biggest risk for affected customers is to get their accounts controlled by third-party because passwords and usernames allow people to log in to any customer platform. You need to change any details regarding logins and passwords and be aware of possible issues related to unauthorized access and suspicious activities.