OWASP, the Open Worldwide Application Security Project, disclosed a data breach in late February 2024 that exposed sensitive data of some of its members. Executive Director Andrew van der Stock confirmed that the breach occurred due to a misconfiguration of an old OWASP Wiki web server.
The breach resulted in the exposure of resumes of open source enthusiasts who were part of the OWASP community between 2006 and 2014, accessed by an unidentified threat actor.
Notifying affected members
During the mentioned period, OWASP collected resumes as a requirement for membership, but it no longer follows this practice. The compromised data included names, email addresses, postal addresses, phone numbers, and other personally identifiable information that could be exploited for phishing or identity theft.
Van der Stock acknowledged the likelihood of outdated data but cautioned members who believe their information is still valid to be vigilant against potential phishing attempts through various communication channels.
The project aims to inform impacted individuals, although the age of the data could pose a challenge in reaching them effectively. Despite this, efforts will be made to contact the email addresses uncovered during the investigation.
OWASP, a software security non-profit organization with a vast network of members and worldwide training events, has assured its commitment to addressing the aftermath of the breach and safeguarding its community’s data.
