The Open Worldwide Application Security Project (OWASP) warns current and former members that their data may have been breached due to a misconfiguration of an old Wiki web server.
OWASP provides resources, tools, and documentation to help organizations develop, implement, and maintain secure web application, system software, and IoT security. Founded in 2001, the nonprofit organization has tens of thousands of members around the world.
Now, many of those early members are being warned that their personal data may have been exposed thanks to a misconfiguration of the Wiki web server that hosts their resumes.
Those who joined between 2006 and 2014 were asked to provide a resume to demonstrate a connection to the OWASP community, and it is these members who are affected by the breach.
The resumes contained names, email addresses, phone numbers, physical addresses, and other personally identifiable information.
“If you were a member of OWASP from 2006 to approximately 2014 and provided your resume as part of joining OWASP, we recommend that you assume that your resume was part of this breach,” said OWASP CEO Andrew van der Stock.
The issue was discovered in late February, when, after receiving several support requests, the OWASP Foundation became aware of a misconfiguration of the former OWASP Wiki web server.
The nonprofit organization assured its members that its members' current data is protected by cloud-based security best practices, such as two-factor authentication, minimum access, and resiliency.
OWASP added that it no longer collects resumes from prospective members and now collects only minimal information to minimize any potential data loss in the future.
Many of those affected have already left OWASP and the data is at least ten years old, making it difficult for OWASP to locate them all. However, van der Stock said the organization will do its best to contact everyone affected.
If the data includes current information such as phone numbers, he cautioned, members should be especially alert to the possibility of scam calls.
OWASP has done everything it can to rectify the breach, according to van der Stock. The organization has reviewed its data retention policies and will implement additional security measures to prevent further breaches in the future.
“We have disabled directory browsing, reviewed the web server and Media Wiki settings for other security issues, removed resumes from the wiki site entirely, and cleared the CloudFlare cache to prevent further access,” he said.
“Finally, we have requested that the information be removed from the Web Archive.”
In a comment on X, the foundation wryly stated “we recognize the unfortunate irony here and are determined to make it our latest infraction.”