Hacker infiltrates OWASP and leaks data

Specialists from The OWASP Foundation reported data leakafter the resumes of some members of the organization were exposed due to misconfiguration of the old Wiki web server.

OWASP (Open Worldwide Application Security Project) is a non-profit organization founded in December 2001 dedicated to software security issues. OWASP currently has tens of thousands of members and more than 250 chapters that regularly organize educational and training conferences around the world.

OWASP said it discovered the Media Wiki was misconfigured in late February 2024 after several support calls. It is known that the incident only affected those OWASP members who joined the organization between 2006 and 2014 and provided a resume during the joining process.

“The resumes contained names, email addresses, phone numbers, physical addresses and other personal information,” says OWASP executive director Andrew van der Stock. — OWASP collected resumes as part of its membership process, which required members to demonstrate a connection to the OWASP community between 2006 and 2014. OWASP no longer requires resumes from participants.”

The organization promises that it will send letters to all victims to notify them of what happened. It is worth noting that many of the victims are no longer members of OWASP, and the personal information disclosed is in many cases outdated.

OWASP also took a number of measures to eliminate the leak, disabling directory browsing and checking the configuration of the web server and Media Wiki for other possible problems. In addition, all summaries were removed from the wiki site and the Cloudflare cache was cleared, and OWASP contacted the Web Archive, asking that the inadvertently disclosed information be removed from there as well.

“OWASP has already removed your data from the Internet, so no immediate action is required from you. There is also no need to do anything if the compromised information is out of date, van der Stock adds. “However, if the information is relevant, such as including your mobile phone number, please exercise normal precautions when responding to unsolicited emails, mail or phone calls.”