OWASP Foundation reveals data breach following Wiki web server issue

Data was stolen from OWASP servers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The Open Worldwide Application Security Project (OWASP) suffered a data breach in late February 2024 resulting in the exposure of sensitive data belonging to some of its members.

In an announcement published on the OWASP website, Executive Director Andrew van der Stock confirmed the breach and explained that it happened due to a misconfiguration of an old OWASP Wiki web server.

As a result, an unnamed threat actor gained access to resumes belonging toopen sourcefans who joined between 2006 and 2014.

Notifying affected members

“OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community,” van der Stock explained. “OWASP no longer collects resumes as part of the membership process.”

Through these resumes, van der Stock further said, the threat actors obtained people’s names, email addresses, postal addresses, phone numbers, and “other personally identifiable information”. Enough to engage in phishing oridentity theft.

Given that the data was collected between 2006 and 2014, there’s a good chance it’s outdated. In that case, the OWASP chief says, members need not act. Those who believe the information is still current, should be careful when receiving SMS messages, calls, and emails. The project will try to notify affected individuals, it was said, but given the age of the data on file, it could be a challenge.

“As many of the individuals affected by this breach are no longer with OWASP and the age of the data is between ten and 18 years old, a great deal of the personal details included in this breach are significantly out of date, making contact difficult,” it was said. “Regardless, we will contact the email addresses discovered during our investigations.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

OWASP is a software security non-profit, with thousands of members and frequent training conferences around the world.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case