Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Data From Joomla Resources Directory Exposed via Unprotected AWS Bucket

An unprotected Amazon Web Services (AWS) S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory (JRD), Joomla’s Incident Response Task Group reported last week.

An unprotected Amazon Web Services (AWS) S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory (JRD), Joomla’s Incident Response Task Group reported last week.

An internal website audit revealed that a third-party company owned by a former leader of the Joomla Resource Directory team — they are still a member of the JRD team — stored full JRD backups in an AWS S3 bucket. The bucket was unprotected and the backups were not encrypted, potentially exposing the data to unauthorized third parties.

The backups included information such as full name, business address, business email address and phone number, company URL, a description of the business, hashed passwords, IP addresses, and newsletter subscription preferences.

The JRD helps users find developers and service providers specializing in Joomla so most of the exposed data was public — users submitted it knowing that it would be made available in a public directory. However, passwords and other types of private data, such as unpublished listings and tickets, were also exposed.

“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons,” the Joomla Incident Response Task Group wrote in a security incident report.

Based on the type of information that was exposed, the overall risk level associated with the data breach is considered “low to medium.”

“Given the overall risk classification legal advice received was that no formal notification was required, however as an Open Source Project and in the spirit of full transparency we have issued this statement and made all those who potentially might have been affected aware,” the incident report reads.

Related: RigUp Database Exposed 76,000 Files From U.S. Energy Sector

Advertisement. Scroll to continue reading.

Related: Millions of Digital Wallets Exposed by Key Ring

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.