14 DAY TRIAL // As reported by Troy Hunt's Have I Been Pwned breach notification service, the JoomlArt Joomla template website exposed private information of 22,477 users in a public Jira ticket.
The 22K customer records that were accidentally leaked by JoomlArt were formerly clients registered on the iJoomla and JomSocial platforms which were subsequently acquired by JoomlArt in 2017.
As detailed by the acquisition announcement made by JoomlArt's CEO, the two companies came with a database of over 500,000 users.
The accidental data leak incident happened in January 2018, and the exposed data "included usernames, email addresses, purchases and passwords stored as MD5 hashes."
When contacted by Troy Hunt, a JoomlArt spokesperson confirmed the incident and said that all affected customers were contacted and notified that their data was publicly exposed.
This was not the first time JoomlArt was involved in a security event given that their JA Voice or JA Job Board websites were defaced in 2013, and their website's database was hacked in 2014.
JoomlArt was also previously defaced and hacked, with 3,500 plaintext passwords being stolen
Moreover, in August 2013 JoomlArt's JA Voice or JA Job Board boards were hacked and defaced three times in a row because "Demo sites running on the same server allows superadmin login access to back-end, which allows to edit layout files (CSS & Templates) in back-end."
Furthermore, JoomlArt's live server database was hacked in December 2014, and the attackers were able to gain access to the plaintext passwords of over 3,500 accounts.
"Our affiliate system is badly affected as it is evident that the passwords were stored unencrypted as plain text with over 3,500 accounts, it is severely compromised and we are getting in touch with all the affiliate account holders to secure their other sites with common password," said JoomlArt's CEO in his announcement.
Seeing that both hacking incidents were reported on the company's blog, the question is why the January 2018 data leak was not.
New breach: JoomlArt inadvertently exposed 22k records in a public Jira ticket in Jan. Impacted data included usernames, email addresses, purchase histories and MD5 password hashes. 75% were already in @haveibeenpwned https://t.co/LGaAnj1hUA — Have I Been Pwned (@haveibeenpwned) November 1, 2018
