Breach ref #: 2019/01/JED

(This notice is issued pursuant Article 33 and 34 of European General Data Protection Regulation).

Details of breach

Date in which the breach has been identified 15 May 2019 - 14.00 UTC+2
Date of breach found after investigation 11 May 2019
No. of people potentially affected: Users who have an account on https://extensions.joomla.org
Nature of breach: Potential exposure of personal data
Description of breach: A software vulnerability has been used to obtain unauthorized access to two servers related to the Joomla Extension Directory (JED).
CVE of vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-1000861?spm=a2c65.11461447.0.0.47014a93BOqygO#vulnCurrentDescriptionTitle
How we became aware of the breach Security Researcher Report received by the Joomla Security Team
Data potentially affected
  • Full name
  • Email address
  • Company Name
  • Encrypted password
Consequences of the breach Personal data contained in JED could have been accessed.
Further investigation is currently in progress to verify whether there has been access to data.
Advisory Even if we don’t have any evidence about data exposure, we highly recommend people who have an account on the Joomla Extensions Directory and use the same password (or combination of email address and password) on other services to immediately change their password for security reasons.

 

The affected website and servers have been taken down during the investigation phase. Further reports will be published at the end of the investigation.
As the investigation of this compromise continues and the affected services are restored, we will not be answering additional questions at this time; a full incident report will be published no later than 17 May 21:00 UTC.

We apologize for the inconvenience. We are deeply committed to providing the best and most secure infrastructure for our community. Thank you for the support and understanding.