Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Data From Joomla Resources Directory Exposed via Unprotected AWS Bucket

An unprotected Amazon Web Services (AWS) S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory (JRD), Joomla’s Incident Response Task Group reported last week.

An unprotected Amazon Web Services (AWS) S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory (JRD), Joomla’s Incident Response Task Group reported last week.

An internal website audit revealed that a third-party company owned by a former leader of the Joomla Resource Directory team — they are still a member of the JRD team — stored full JRD backups in an AWS S3 bucket. The bucket was unprotected and the backups were not encrypted, potentially exposing the data to unauthorized third parties.

The backups included information such as full name, business address, business email address and phone number, company URL, a description of the business, hashed passwords, IP addresses, and newsletter subscription preferences.

The JRD helps users find developers and service providers specializing in Joomla so most of the exposed data was public — users submitted it knowing that it would be made available in a public directory. However, passwords and other types of private data, such as unpublished listings and tickets, were also exposed.

“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons,” the Joomla Incident Response Task Group wrote in a security incident report.

Based on the type of information that was exposed, the overall risk level associated with the data breach is considered “low to medium.”

“Given the overall risk classification legal advice received was that no formal notification was required, however as an Open Source Project and in the spirit of full transparency we have issued this statement and made all those who potentially might have been affected aware,” the incident report reads.

Related: RigUp Database Exposed 76,000 Files From U.S. Energy Sector

Related: Millions of Digital Wallets Exposed by Key Ring

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.