Data From Joomla Resources Directory Exposed via Unprotected AWS Bucket

An unprotected Amazon Web Services (AWS) S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory (JRD), Joomla’s Incident Response Task Group reported last week.

An unprotected Amazon Web Services (AWS) S3 bucket exposed the details of 2,700 users who signed up for the Joomla Resources Directory (JRD), Joomla’s Incident Response Task Group reported last week.

An internal website audit revealed that a third-party company owned by a former leader of the Joomla Resource Directory team — they are still a member of the JRD team — stored full JRD backups in an AWS S3 bucket. The bucket was unprotected and the backups were not encrypted, potentially exposing the data to unauthorized third parties.

The backups included information such as full name, business address, business email address and phone number, company URL, a description of the business, hashed passwords, IP addresses, and newsletter subscription preferences.

The JRD helps users find developers and service providers specializing in Joomla so most of the exposed data was public — users submitted it knowing that it would be made available in a public directory. However, passwords and other types of private data, such as unpublished listings and tickets, were also exposed.

“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons,” the Joomla Incident Response Task Group wrote in a security incident report.

Based on the type of information that was exposed, the overall risk level associated with the data breach is considered “low to medium.”

“Given the overall risk classification legal advice received was that no formal notification was required, however as an Open Source Project and in the spirit of full transparency we have issued this statement and made all those who potentially might have been affected aware,” the incident report reads.

Related: RigUp Database Exposed 76,000 Files From U.S. Energy Sector

Related: Millions of Digital Wallets Exposed by Key Ring

Related: AWS S3 Buckets Exposed Millions of Facebook Records

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Original Link