Developers of the free content management system Joomla on the detection of the fact that full backups of the resources.joomla.org site, including the JRD (Joomla Resources Directory) user database, were placed in a third-party storage.
The backups were not encrypted and included data from 2700 members registered on resources.joomla.org, a site that collects information about developers and vendors who create Joomla-based websites. In addition to publicly available personal data, the database contained information about password hashes, unpublished records, and IP addresses. All users registered in the JRD directory are advised to change their passwords and analyze possible duplicate passwords on other services.
The backup was placed by a project participant on third-party storage in Amazon Web Services S3, owned by a third-party company founded by the former leader JRD, who remained among the developers at the time of the incident. The analysis of the incident has not yet been completed and it is not clear whether the backup copy fell into third hands. At the same time, an audit carried out after the incident showed that the resources.joomla.org server contained accounts with administrator rights that did not belong to employees of the Open Source Matters company, which maintains the Joomla project (it is not specified how connected these people are to the project).
Source: opennet.ru