An internal website audit revealed that a third-party company owned by a former leader of the Joomla Resource Directory team — they are still a member of the JRD team — stored full JRD backups in an AWS S3 bucket. The bucket was unprotected and the backups were not encrypted, potentially exposing the data to unauthorized third parties.
The backups included information such as full name, business address, business email address and phone number, company URL, a description of the business, hashed passwords, IP addresses, and newsletter subscription preferences.