Popular open-source content management system (CMS) Joomla has disclosed that an internal audit unearthed a major data leak that exposed a full backup of the site on an Amazon Web Services (AWS) bucket owned by a third party.
In an incident notification published last week, Joomla said the data leak potentially exposed full names, business addresses, business email addresses, business phone numbers, company URLs, nature of businesses, encrypted passwords, IP addresses, and newsletter subscription preferences of around 2,700 individuals.
The firm said that full backups of the JRD site were stored in a third-party company Amazon Web Services S3 bucket owned by a former Team Leader and each backup copy included a full copy of the website, including all the data. Even though most of the data was public, a lot of private data such as unpublished, unapproved listings, and tickets were also exposed.
"The risk to individuals is that the data will be used for marketing/advertising purposes without consent. However, individuals supplied the data to submit it to a public database so they were aware that the data would be public. However, certain data that was provided by the individuals was not intended to be public but is now available to the third party. The data subject rights of consent, ability to withdraw from direct marketing and the ability to withdraw consent would be impacted. However, not all or most data subject rights will be impacted or limited by this data breach.
Following the discovery of the massive exposure of user data, Joomla issued a complete data deletion request to the involved third-party, mandated the Webmasters Team to conduct regular audits of the *.Joomla.org websites, enforced the signature of a Non-Disclosure Agreement to all the people with access to personal data, and started the preparation of a Data Processing Addendum to be signed by all the people with access to personal data.
Joomla says data exposure will not significantly impact affected users
Even though Joomla stated that the "risk of loss of control over data is high in this case", it determined that the risk to data subjects is low to medium as it could not see a significant or economic disadvantage that could affect the data subject.
"Data that would be typically used for the purposes of identity theft or fraud such as driver’s license numbers, social security numbers, mother’s maiden name was not included in the database. Usernames and passwords were included in the database, however, Joomla has always encrypted passwords and does not hold them as free text. It was therefore considered that the risk for individuals in terms of password recoverability was low," the firm noted.
However, despite this assessment, Jooma said that "in the spirit of full transparency", it decided to issue a notification about the data exposure in order to make all those who potentially might have been affected aware.
"We apologize for the inconvenience. We are deeply committed to providing the best and most secure infrastructure for our community. Thank you for the support and understanding," it added.
Commenting on the significant data exposure committed by Joomla, Paul Edon, Senior Director Technical Sales and Services (EMEA) at Tripwire, said that even though misconfigurations actually lead to more breaches than exploited systems, organisations often don’t put the same effort into assessing them as they do scanning for vulnerabilities.
"Joomla users should reset their credentials immediately. In general, users should be wary of reusing passwords and try to use a password manager so that unique, long, complex passwords can be used for each site that they log into. This will prevent attackers from logging into multiple sites if the user’s credentials are compromised. When possible, ensuring multi-factor authentication is enabled on each of their accounts is also very important," he added.