Joomla Discloses Data Breach Affecting 2,700 Users

Joomla, a free and open-source content management system for publishing web content, developed by Open Source Matters, Inc., has disclosed a data breach which affects 2,700 individuals.

According to a data breach notification from Joomla, a leader of the Joomla Resources Directory (JRD) team left full site backups in a third-party company Amazon Web Services S3 bucket unencrypted. Each backup copy included a full copy of the website, including all data.

Most of the data was public, since users submitted their data with the intent of being included into a public directory. Private data (unpublished, unapproved listings, tickets) was included in the breach.

Data that was potentially affected includes:

Full name
Business address
Business email address
Business phone number
Company URL
Nature of business
Encrypted password (hashed)
IP address
Newsletter subscription preferences

According to Joomla's risk assessment, risks of financial loss, damage to reputation, discrimination, identity theft or fraud, and any other significant or economic disadvantage are low to medium.

In addition, Joomla has taken the following steps to increase security and prevent eventual breaches:

Akeeba Backup configuration check:
Everything removed and the official backup configuration implemented with full encryption to organizational approved locations, with internal triggers.
- Multiple backup profiles to third-party AWS S3 Locations.
- Backups without passwords.
- Backups without encryption key
External connections check:
All connections from external services removed.
- Third party service used to trigger the backups remotely.
- Third party service used to do audits.
Communication streams:
Removed / Converted private mail address to organizational ones and blocked access to external support parties.
- Ticket notifications to private mail address instead of organizational ones.
- Support from external parties without clear responsibility separation by using ACL.
CPANEL / Hosting level:
- Removed all custom FTP & SSH accounts.
- Changed access credentials.
- Changed database user & password.

For more information about the data breach, visit https://community.joomla.org/blogs/community/jrd-security-incident-notification.html

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.