Breach ref #: 2019/01/JED
(This notice is issued pursuant Article 33 and 34 of European General Data Protection Regulation).
Details of breach
|Date in which the breach has been identified||15 May 2019 - 14.00 UTC+2|
|Date of breach found after investigation||11 May 2019|
|No. of people potentially affected:||Users who have an account on https://extensions.joomla.org|
|Nature of breach:||Potential exposure of personal data|
|Description of breach:||A software vulnerability has been used to obtain unauthorized access to two servers related to the Joomla Extension Directory (JED).|
|CVE of vulnerability||https://nvd.nist.gov/vuln/detail/CVE-2018-1000861?spm=a2c65.11461422.214.171.124014a93BOqygO#vulnCurrentDescriptionTitle|
|How we became aware of the breach||Security Researcher Report received by the Joomla Security Team|
|Data potentially affected||
|Consequences of the breach||Personal data contained in JED could have been accessed.
Further investigation is currently in progress to verify whether there has been access to data.
|Advisory||Even if we don’t have any evidence about data exposure, we highly recommend people who have an account on the Joomla Extensions Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.|
The affected website and servers have been taken down during the investigation phase. Further reports will be published at the end of the investigation.
As the investigation of this compromise continues and the affected services are restored, we will not be answering additional questions at this time; a full incident report will be published no later than 17 May 21:00 UTC.
We apologize for the inconvenience. We are deeply committed to providing the best and most secure infrastructure for our community. Thank you for the support and understanding.