The OWASP Foundation has recently made public a data breach incident where the resumes of certain members were inadvertently made accessible online due to a misconfiguration of its previous Wiki web server.
OWASP, which stands for Open Worldwide Application Security Project, is a nonprofit organization established in December 2001 with a focus on enhancing software security.
Over the years, it has garnered a large membership base, boasting tens of thousands of members and over 250 chapters worldwide, which organize various educational and training events. The breach was identified by OWASP in late February subsequent to numerous support requests.
The breach primarily impacted individuals who became members of the foundation between 2006 and 2014 and had submitted resumes as part of the membership process during that period.
Andrew van der Stock, the Executive Director of OWASP, disclosed that the exposed resumes contained sensitive personal information such as names, email addresses, phone numbers, and physical addresses. He clarified that during the mentioned period, OWASP used to collect resumes as a requirement for membership, aiming to establish a connection with the OWASP community. However, the organization no longer follows this practice.
Although many of the affected individuals are no longer associated with OWASP, the foundation has committed to notifying them via email about the breach. Despite this, the exposed personal data, in numerous cases, may be outdated.
In response to the breach, OWASP has taken several steps to mitigate the situation. This includes disabling directory browsing, reviewing the web server and Media Wiki configuration for other potential security vulnerabilities, and removing all resumes from the wiki site while also purging the Cloudflare cache. Furthermore, OWASP has approached the Web Archive to request the removal of the exposed resume information from its records.
Van der Stock reassured the affected individuals that OWASP has already taken measures to remove their information from the internet, thereby alleviating the immediate concerns. However, he advised caution for those whose information might still be relevant, urging them to exercise usual precautions when dealing with unsolicited communications via email, mail, or phone.