Backup of user data
Moodle includes a feature that allows course backups to include user data (such as forum posts, glossary entries and so on). To do this Moodle also includes the relevant user accounts as well, in order that data consistency can be maintained when the backup is restored on a different Moodle site. Unfortunately, in the wrong hands, this feature can also cause a privacy leak and possible exploitation of the whole original site.
Since Moodle 1.9.7 and Moodle 1.8.11 there is a new capability to control the backup of user data moodle/backup:userinfo, separate from the capability to backup courses. By default this capability is disabled for all roles.
The security report contains a check for this, and will report on any roles or users that have this capability enabled. Please make sure that you keep this capability only for people who really need it.
Please also note that even if you trust all those users shown, you should make sure they are using very strong passwords (by setting a password policy for them), because those same capabilities become available to anyone who might crack their accounts.
- Using Moodle Security and Privacy forum