Pierluigi Paganini
April 01, 2024
The OWASP Foundation has disclosed a data breach that impacted some of its members.
No joke, we did have a data breach in late March involving the resumes of our earliest members. Rest assured, all current membership data remains secure. We recognize the unfortunate irony here, and are determined to make it our last breach.
— OWASP® Foundation (@owasp) April 1, 2024
Details here: https://t.co/WUhvf3RGdX pic.twitter.com/jPzTZstIEL
The OWASP (Open Web Application Security Project) Foundation is a nonprofit organization focused on improving the security of software. It provides freely available resources, tools, and documentation to help organizations develop, deploy, and maintain secure software applications.
In late February 2024, the Foundation received a few support requests and became aware of a misconfiguration of OWASP’s old Wiki web server. The misconfiguration led to a data breach involving old member resumes.
The incident impacted OWASP members from 2006 to around 2014 who provided their resumes as part of joining OWASP.
Exposed resumes contained names, email addresses, phone numbers, physical addresses, and other personally identifiable information.
“OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community. OWASP no longer collects resumes as part of the membership process.” reads the data breach notification published by the Foundation.
In response to the security breach, the experts at the Foundation have disabled directory browsing, reviewed the web server and Media Wiki configuration for other security issues, secured the resumes, and purged the CloudFlare cache. The organization also requested that the information be removed from the Web Archive.
The Foundation said that the individuals affected by this breach are no longer with OWASP and the age of the data is between ten and 18 years old. Most of the personal details included in this breach are outdated, making it difficult to contact the impacted individuals. However, the Foundation will contact the email addresses discovered during our investigations.
“I think I am affected. What do I need to do? OWASP has already removed your information from the Internet, so no immediate action on your part is required. Nothing needs to be done if the information at risk is outdated. However, if the information is current, such as containing your mobile phone number, please take the usual precautions when answering unsolicited emails, mail, or phone calls.” concludes the notification.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
