Joomla Resources Directory Users Exposed in Leaky AWS Bucket

Leaky buckets…again. Time to run a continual audit of what data of yours is exposed (full disclosure: I resell CybelAngel, take a look at this Whitepaper)…:

[…] “Most of the data was public, since users submitted their data with the intent of being included into a public directory,” explained the Joomla security team, in a recent posting. However, they added that “private data (unpublished, unapproved listings, tickets) was [also] included in the breach.”

The backups were stored in AWS by a third-party company owned by an individual who was a team member for JRD at the time of the breach. This person is no longer on the team, but the exposed bucket was discovered during a security audit of the JRD site.

“Even if we don’t have any evidence about data access, we highly recommend people who have an account on the Joomla Resources Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons,” according to the notice.

Improperly configured cloud storage buckets continue to plague companies. In May, GoDaddy, the world’s largest domain name registrar, warned customers that attackers may have obtained their web hosting account credentials. The Scottsdale, Ariz.-based company has more than 19 million customers worldwide, but fortunately only 28,000 were affected by the attack.

And in April, Key Ring, creator of a digital wallet app used by 14 million people across North America, was found to have exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet, researchers said.


Original article here