Joomla Resources Directory Users Exposed in Leaky AWS Bucket

joomla cloud misconfiguration data breach

Full backup copies of website, including all user data, was exposed for 2,700 JRD users.

An Amazon Web Services (AWS) cloud storage bucket that was left open to the public internet has exposed thousands of Joomla users’ personal information.

About 2,700 individuals who signed up to use the Joomla Resources Directory (JRD) – a community forum for finding developers and service providers specialized in the Joomla content management system (CMS) – had their information exposed. This includes JRD full-site backups in unencrypted form; each backup copy included a full copy of the website, including all the data.

The fields in the database include full name, business address, business email address, business phone number, company URL, nature of business, hashed password, IP address, and newsletter subscription preferences.

“Most of the data was public, since users submitted their data with the intent of being included into a public directory,” explained the Joomla security team, in a recent posting. However, they added that “private data (unpublished, unapproved listings, tickets) was [also] included in the breach.”

The backups were stored in AWS by a third-party company owned by an individual who was a team member for JRD at the time of the breach. This person is no longer on the team, but the exposed bucket was discovered during a security audit of the JRD site.

“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons,” according to the notice.

Improperly configured cloud storage buckets continue to plague companies. In May, GoDaddy, the world’s largest domain name registrar, warned customers that attackers may have obtained their web hosting account credentials. The Scottsdale, Ariz.-based company has more than 19 million customers worldwide, but fortunately only 28,000 were affected by the attack.

And in April, Key Ring, creator of a digital wallet app used by 14 million people across North America, was found to have exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet, researchers said.

Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.


Suggested articles

45 Million Medical Images Left Exposed Online

45 Million Medical Images Left Exposed Online

A six-month investigation by CybelAngel discovered unsecured sensitive patient data available for third parties to access for blackmail, fraud or other nefarious purposes.