Joomla suffers data breach; registered user details leaked

Content management systems (CMS) are one of the most frequent targets of cyberattacks, web application penetration testing specialists say. An example of this is the recent report by security team from Joomla, which has confirmed a security breach detected over the past week.

The incident would have occurred because a member of the Joomla Resource Directory (JRD) left a full backup of their website (resources.joomla.org) fully exposed in an Amazon Web Services (AWS) bucket.

The report mentions that this backup was not encrypted and contained some details of around 2,700 users with websites registered in Joomla. Web application penetration testing experts also mentioned that some JDR accounts were exposed, a platform on which web developers can promote their experience in creating Joomla websites.

The investigation into the incident is still active, Joomla administrators mentioned. So far no evidence has been found to confirm or deny that any user has accessed the information exposed; among the data exposed are: 

  • Full names
  • Business address
  • Business email address
  • Phone numbers
  • Enterprise site URLs
  • Encrypted passwords
  • IP addresses, among other data

Web application penetration testing specialists pointed out that most of the exposed information is considered publicly accessible (including the directory for web development professionals), so the data breach is not particularly serious. However, it should be noted that data such as encrypted passwords or IP addresses should not be exposed to any user outside the company.

As a security measure, Joomla recommends that its users reset their passwords for the JRD portal and anywhere else where they use the same login credentials. According to the International Institute of Cyber Security (IICS), passwords exposed in similar incidents could be used by threat actors to deploy credential-stuffing attacks.

After detecting the incident, the Joomla team performed a security audit on the exposed portal. This process revealed the presence of some “superuser” accounts owned by people outside to Open Source Matters.

Joomla developers took the necessary steps to delete the accounts in question and disable any accounts that have not been logged in since January 1, 2019. According to data from the company itself, Joomla is the third most used CMS in the world, so a potential cyberattack could expose millions of users.