The team behind open source content management system Joomla has revealed that the platform has been hit by a security breach.
The breach affected 2,700 users registered on the Joomla Resources Directory (JRD), a platform that helps users find service providers to help in project management, design, and technical support.
The leaked data included personal information such as:
- Full name
- Business address
- Business email address
- Business phone number
- Company URL
- Nature of business
- Encrypted password (hashed)
- IP address
- Newsletter subscription preferences
The advisory revealed that unencrypted full site backups of JRD were stored in AWS' S3 cloud service, with each backup copy including a full copy of the website, including all the data. S3 does not offer encryption for stored data by default.
Joomla said the overall risk to data subjects was low to medium, and that reporting to privacy authorities was not necessary.
“Given the overall risk classification legal advice received was that no formal notification was required, however as an Open Source Project and in the spirit of full transparency we have issued this statement and made all those who potentially might have been affected aware,” the advisory stated.
“We apologize for the inconvenience. We are deeply committed to providing the best and most secure infrastructure for our community. Thank you for the support and understanding.”