Joomla, one of the most popular Open-source content management systems (CMS) suffers a security incident that revealed personal details of costumers. The data breach impacted more than 2,700 users who have an account with its resources directory (JRD) website, i.e., resources.joomla.org.

The breach exposed affected users’ personal information, such as full names, business addresses, email addresses, phone numbers, and encrypted passwords.

According to the company this security issue came to light during an internal website audit that indicated the member of the team and the exposed backup. The member of the JRD team left the unencrypted full backup of the JDR site on a nonsecured Amazon Web Services S3 bucket operated by the third-party company.

The affected JRD portal lists developers and service providers specialized in Joomla, allowing registered users to extend their CMS with additional functionalities.
The investigation is still ongoing on. Right now, the site is suspended temporarily, and it is known that personal information, and even encrypted passwords got exposed during this breach. It has also reached out to the concerned third-party to get the data deleted. It’s not clear if any party found the unencrypted backup and accessed the information.
The possible consequence of this breach can be that third-party or a malicious actor accessed these personal details:
1. Full name
2. Business address
3. Business email address
4. Phone number
5. URL of the company
6. Encrypted/ hashed password
7. Nature of the business
8. IP address
9. Newsletter subscription preferences
Web application penetration testing specialists pointed out that most of the exposed information is considered publicly accessible (including the directory for web development professionals), so the data breach is not particularly serious. However, it should be noted that data such as encrypted passwords or IP addresses should not be exposed to any user outside the company.
The severity of this breach is considered to be low because the bigger part of the data was public already since the JRD portal serves as a directory for Joomla professionals. But making IP addresses and hashed passwords public was not indented.
The possible impact of the breach on individuals
Since payment data or other credentials related to financial information were not exposed, you shouldn’t be afraid of financial losses. Reputational information like activities or sensitive information regarding discrimination or identity theft was not stored on the database that got exposed. Details about driver’s license numbers, social security numbers were not included in the database.

The overall risk classification of the breach is low, but the incident can lead to fraud or identity theft. The biggest risk for affected customers is to get their accounts controlled by third-party because passwords and usernames allow people to log in to any customer platform.

The Joomla team said that once it learned of this accidental leak of the JRD site backup, they also carried out a full security audit of the JRD portal. The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters.

Joomla devs said they took action by removing the Super User accounts and disabling all user accounts that did not log in after January 1, 2019.
Recommendations:
• People, who have an account on the JRD and use the same password (or combination of an email address and password) on other services, immediately change their password for security reasons.
• Make sure two-factor authentication is enabled in your system.
• Always keep your version of Joomla up to date as well as all of your extensions.
• Use good Joomla security extensions which will lock down your site and help protect you from attacks.
• Always trying to ensure the connections you are using are secure when connecting to your Joomla website.
• Ensure that your Amazon S3 buckets use the correct policies and are not publicly accessible.
• Implement least privilege access. It is fundamental in reducing security risk and the impact that could result from errors or malicious intent.
• Enable multi-factor authentication (MFA) Delete. If MFA Delete is not enabled, any user with the password of a sufficiently privileged root or could permanently delete an Amazon S3 object.
• Consider S3 Object Lock. S3 Object Lock can help prevent accidental or inappropriate deletion of data.