An unprotected Amazon Web Services (AWS) S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory (JRD), Joomla’s Incident Response Task Group reported last week.
An internal website audit revealed that a third-party company owned by a former leader of the Joomla Resource Directory team — they are still a member of the JRD team — stored full JRD backups in an AWS S3 bucket. The bucket was unprotected and the backups were not encrypted, potentially exposing the data to unauthorized third parties.
The backups included information such as full name, business address, business email address and phone number, company URL, a description of the business, hashed passwords, IP addresses, and newsletter subscription preferences.
The JRD helps users find developers and service providers specializing in Joomla so most of the exposed data was public — users submitted it knowing that it would be made available in a public directory. However, passwords and other types of private data, such as unpublished listings and tickets, were also exposed.
“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons,” the Joomla Incident Response Task Group wrote in a security incident report.
Based on the type of information that was exposed, the overall risk level associated with the data breach is considered “low to medium.”
“Given the overall risk classification legal advice received was that no formal notification was required, however as an Open Source Project and in the spirit of full transparency we have issued this statement and made all those who potentially might have been affected aware,” the incident report reads.