Uh oh, this isn’t good.
It seems that for over two years there has been a SQL-injection vulnerability in the Joomla Platform (which is used in millions of websites) that will allow remote takeover hacks.
SQL-injection vulnerabilities allow end users to execute powerful commands on a website’s backend database by entering “special” text in search boxes or other input fields found on a website. The flaws, which are among the most commonly exploited website vulnerabilities, are the result of an insecure Web application failing to enforce the treatment of incoming data as plain text rather than executable code. Often, this makes it possible for hackers to download confidential files from the vulnerable server.
Joomla have now patched the platform, but if website owners do not install the update, they are still vulnerable.
It’s a good thing all of our websites are using the WordPress platform :-)
You can read more about this issue at Joomla Bug.