OWASP Foundation reveals data breach following Wiki web server issue

News
By Sead Fadilpašić
published

Data was stolen from OWASP servers

Amazon
(Image credit: Amazon)

The Open Worldwide Application Security Project (OWASP) suffered a data breach in late February 2024 resulting in the exposure of sensitive data belonging to some of its members. 

In an announcement published on the OWASP website, Executive Director Andrew van der Stock confirmed the breach and explained that it happened due to a misconfiguration of an old OWASP Wiki web server.

As a result, an unnamed threat actor gained access to resumes belonging to open source fans who joined between 2006 and 2014. 

Notifying affected members

“OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community,” van der Stock explained. “OWASP no longer collects resumes as part of the membership process.”

Through these resumes, van der Stock further said, the threat actors obtained people’s names, email addresses, postal addresses, phone numbers, and “other personally identifiable information”. Enough to engage in phishing or identity theft.

Given that the data was collected between 2006 and 2014, there’s a good chance it’s outdated. In that case, the OWASP chief says, members need not act. Those who believe the information is still current, should be careful when receiving SMS messages, calls, and emails. The project will try to notify affected individuals, it was said, but given the age of the data on file, it could be a challenge. 

“As many of the individuals affected by this breach are no longer with OWASP and the age of the data is between ten and 18 years old, a great deal of the personal details included in this breach are significantly out of date, making contact difficult,” it was said. “Regardless, we will contact the email addresses discovered during our investigations.”

OWASP is a software security non-profit, with thousands of members and frequent training conferences around the world.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.