Joomla announced a new data breach that impacted 2,700 users and exposed their critical personal information.
Open-source content management system, Joomla announced that 2,700 users’ information with an account on resources.joomla.org were breached. Unencrypted JRD full site backups were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former Team Leader, still Member of the JRD team at the time of the breach. Backups copies include full copies of the websites including all the data.
Private data
According to Joomla’s announcement, most of the data was public, since users submitted their data with the intent of being included in a public directory. Private data was included in the breach. The audit also showed that the presence of Super User accounts owned by individuals outside Open Source Matters.
Data breached:
- Full name
- Business address
- Business email address
- Business phone number
- Company URL
- Nature of business
- Encrypted password (hashed)
- IP address
- Newsletter subscription preferences
The company also stated:
“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.”