CMS Joomla Discloses Data Breach That Affected Users Of Its JRD Website

28/05/2020

The team behind the the open-source content management system (CMS) Joomla discloses a security breach affecting at least 2,700 users.

What happened here was the Joomla Resources Directory (JRD) team left a full backup of the JRD website (resources.joomla.org) on an Amazon Web Services S3 bucket owned by the company.

The backup file was not encrypted. As a result, the thousands of users who registered and created profiles on the portal where professionals advertise their Joomla site-making skills, have their data leaked.

Data that could have been exposed include:

  1. Full name.
  2. Business address.
  3. Business email address.
  4. Business phone number.
  5. Company URL.
  6. Nature of business.
  7. Encrypted password (hashed).
  8. IP address.
  9. Newsletter subscription preferences.
Screenshot of Joomla Resource Directory website.
Screenshot of Joomla Resource Directory website.

The JRD website acts as a portal for Joomla web owners and professionals, where they all can advertise their skills on the popular CMS. Registered members on the JRD portal can also utilize it to extend their Joomla websites with additional functionalities.

The team at Joomla realized about this incident during an internal website audit.

Once they realized about this this accidental leak of the JRD site backup, they also carried out a full security audit of the JRD portal.

"The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters," the Joomla team said in a breach disclosure.

This security breach is considered a low threat, considering that most of the above information was already available in the public domain. The only problem here, is the IP addresses and passwords. The latter for example, are data that weren't supposed to be public for any reason at all.

As a precaution, the team at Joomla urges all JRD users to immediately change their passwords on the portal, and also on other websites where they may have reused the passwords, in order to prevent credential stuffing attacks.

"Even if we don't have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of an email address and password) on other services to immediately change their password for security reasons," Joomla said in the advisory.

Joomla has also removed all users who have not logged in before January 1, 2019, enabled two-factor authentication, cleaned the database of old and unused data, removed outdated Joomla Components, Plugins, Modules, and third-party Templates, as well as rolling out several security fixes on its platform.

It has also reached out to the concerned third-party to get the data deleted.

While investigating this issue, Joomla has temporarily disabled the access to the website.

"We apologize for the inconvenience. We are deeply committed to providing the best and most secure infrastructure for our community. Thank you for the support and understanding," the team said.