Joomla, a free and open-source content management system for publishing web content, developed by Open Source Matters, Inc., has disclosed a data breach which affects 2,700 individuals. 

According to a data breach notification from Joomla, a leader of the Joomla Resources Directory (JRD) team left full site backups in a third-party company Amazon Web Services S3 bucket unencrypted. Each backup copy included a full copy of the website, including all data. 

Most of the data was public, since users submitted their data with the intent of being included into a public directory. Private data (unpublished, unapproved listings, tickets) was included in the breach. 

Data that was potentially affected includes:

  • Full name
  • Business address
  • Business email address
  • Business phone number
  • Company URL
  • Nature of business
  • Encrypted password (hashed)
  • IP address
  • Newsletter subscription preferences

According to Joomla's risk assessment, risks of financial loss, damage to reputation, discrimination, identity theft or fraud, and any other significant or economic disadvantage are low to medium. 

In addition, Joomla has taken the following steps to increase security and prevent eventual breaches:

  • Akeeba Backup configuration check:
    Everything removed and the official backup configuration implemented with full encryption to organizational approved locations, with internal triggers.
    • Multiple backup profiles to third-party AWS S3 Locations.
    • Backups without passwords.
    • Backups without encryption key
  • External connections check:
    All connections from external services removed.
    • Third party service used to trigger the backups remotely.
    • Third party service used to do audits.
  • Communication streams:
    Removed / Converted private mail address to organizational ones and blocked access to external support parties.
    • Ticket notifications to private mail address instead of organizational ones.
    • Support from external parties without clear responsibility separation by using ACL.
  • CPANEL / Hosting level:
    • Removed all custom FTP & SSH accounts.
    • Changed access credentials.
    • Changed database user & password.

For more information about the data breach, visit