The team behind the Joomla open source content management system (CMS) has disclosed a data breach that affected more than 2,000 users of the JRD website (resources.joomla.org).

The leak was discovered during an internal website audit, the team said. The breach occurred after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site on a third-party company Amazon Web Services S3 bucket. Each backup copy included a full copy of the website, including all the data.

According to the Joomla team, the backup file contained information for 2,700 users with an account on the JRD website. The potentially affected data includes:

• Full name

• Business address

• Business email address

• Business phone number

• Company URL

• Nature of business

• Encrypted password (hashed)

• IP address

• Newsletter subscription preferences

The team said the exposed database did not contain payment data or information that would be typically used for the purposes of identity theft or fraud (driver’s license numbers, social security numbers, or mother’s maiden name).

Although there is no evidence that exposed data was accessed by third parties, users who have an account on the Joomla Resources Directory are advised to change their passwords, especially if these passwords (or combination of email address and password) are used in other services.