Joomla corrected a bug that was created 8 years ago where an attacker can steal website administrator credentials. The bug exists in Joomla’s LDAP (Lightweight Directory Access Protocol). Input is not properly sanitized, so an attacker can use wildcards to progressively determine credentials.
Although the bug was present for 8 years, Joomla fixed it promptly after being notified by security professionals. Bitdefender’s report on this issue is available here.
If you haven’t updated already to version 3.8, please do so ASAP.