The Open Worldwide Application Security Project (OWASP) suffered a data breach in late February 2024 resulting in the exposure of sensitive data belonging to some of its members.
In an announcement published on the OWASP website, Executive Director Andrew van der Stock confirmed the breach and explained that it happened due to a misconfiguration of an old OWASP Wiki web server.
As a result, an unnamed threat actor gained access to resumes belonging to open source fans who joined between 2006 and 2014.
Notifying affected members
“OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community,” van der Stock explained. “OWASP no longer collects resumes as part of the membership process.”
Through these resumes, van der Stock further said, the threat actors obtained people’s names, email addresses, postal addresses, phone numbers, and “other personally identifiable information”. Enough to engage in phishing or identity theft.
Given that the data was collected between 2006 and 2014, there’s a good chance it’s outdated. In that case, the OWASP chief says, members need not act. Those who believe the information is still current, should be careful when receiving SMS messages, calls, and emails. The project will try to notify affected individuals, it was said, but given the age of the data on file, it could be a challenge.
“As many of the individuals affected by this breach are no longer with OWASP and the age of the data is between ten and 18 years old, a great deal of the personal details included in this breach are significantly out of date, making contact difficult,” it was said. “Regardless, we will contact the email addresses discovered during our investigations.”
OWASP is a software security non-profit, with thousands of members and frequent training conferences around the world.