[BreachExchange] Joomla team discloses data breach

Destry Winant destry at riskbasedsecurity.com
Mon Jun 1 10:36:56 EDT 2020


The team behind the Joomla open source content management system (CMS)
announced a security breach last week.

The incident took place after a member of the Joomla Resources
Directory (JRD) team left a full backup of the JRD site
(resources.joomla.org) on an Amazon Web Services S3 bucket owned by
their own company.

The Joomla team said the backup file was not encrypted and contained
details for roughly 2,700 users who registered and created profiles on
the JRD website -- a portal where professionals advertise their Joomla
site-making skills.

Joomla admins said they are still investigating the incident. It is
currently unclear if anyone found and download the data from the
third-party company's S3 server.

Data that could have been exposed in the case someone found and
downloaded the backup includes details such as:

Full name
Business address
Business email address
Business phone number
Company URL
Nature of business
Encrypted password (hashed)
IP address
Newsletter subscription preferences

The severity of this breach is considered low, as most of this
information was already public, as the JRD portal serves as a
directory for Joomla professionals. However, hashed passwords and IP
addresses were not meant to be public.

The Joomla team is now recommending that all JRD users change their
password on the JRD portal, but also on other sites where they reused
the password, as accounts on these sites could be under the threat of
a credential stuffing attack if attackers manage to crack the users'

White Papers provided by Druva

The Joomla team said that once it learned of this accidental leak of
the JRD site backup, they also carried out a full security audit of
the JRD portal.

"The audit also highlighted the presence of Super User accounts owned
by individuals outside Open Source Matters," the Joomla team said in a
breach disclosure published last Thursday.

Joomla devs said they took action by removing the Super User accounts
and disabling all user accounts that did not log in after January 1,

Joomla is a content management system (CMS), a web-based application
that's used to build and manage self-hosted websites. It is currently
the third-most used CMS on the internet. It was passed for the second
spot by Shopify, this month.

More information about the BreachExchange mailing list