Joomla data breach leaks 2,700 user records via exposed backups

A Joomla database leak has exposed the personal information, including hashed passwords, of 2,700 individuals registered on the Joomla Resources Directory (JRD).

The Joomla Resources Directory allows users to find registered service providers to assist in project management, design, and technical support for Joomla.

In a security advisory published by Joomla last week, it was disclosed that the details of 2,700 individuals registered on the Joomla Resources Directory (JRD) service were leaked.

The exposure included information such as:

• Full Name
• Business address
• Business email address
• Business phone number
• Company URL
• Nature of business
• Encrypted password (hashed)
• IP address
• Newsletter subscription preferences

Fortunately, while the exposure of most of this information may not be a cause for concern – given business records are often public, password hashes and IP addresses are still sensitive information, and should have remained confidential.

"Given the overall risk classification legal advice received was that no formal notification was required, however as an Open Source Project and in the spirit of full transparency we have issued this statement and made all those who potentially might have been affected aware," reads the advisory.

Based on what is known now, the leak occurred as complete, unencrypted backups of JRD sites were stored on an Amazon Web Services (AWS) S3 bucket by a third-party company that is owned by a Joomla team member and former team lead.

The backups contained full copies of the websites and data that were meant to remain private.

The advisory names InterGen Web Solutions and Polished Geek as two of the "involved parties" in the incident, among other unknown ones, pending investigation.

It is worth noting that InterGen Web Solutions listed in the advisory is owned by Brian Mitchell, who is presently a Joomla team member and former Group Leader. Whereas, the current team lead Deb Cinkus is also the CEO of Polished Geek.

Multiple risk assessment criteria evaluate the severity of the leak somewhere between Low and High.

While it cannot be authoritatively confirmed if malicious parties ever accessed the leaky backups, Joomla states that they did find Super User accounts that did not belong to Open Source Matters.

"The audit also highlighted the presence of Super User accounts owned by individuals outside Open Source Matters,"

Due to this, Joomla advises users is to change their passwords on both JRD and any other website where they’ve used the same email address password combination.

The advisory also lists an extensive series of steps Joomla’s Incident Response Task Group undertook to audit systems, identify Indicators of Compromise (IoCs), remove any suspicious user accounts, configured privacy features and updated software components (e.g., PHP version bumped to 7.3).

The page ends with, "We apologize for the inconvenience. We are deeply committed to providing the best and most secure infrastructure for our community. Thank you for the support and understanding."