OWASP foundation reports data breach caused by wiki misconfiguration

The OWASP Foundation reported a data breach stemming from a misconfiguration in its old Wiki web server. OWASP, which stands for Open Web Application Security Project, is a nonprofit organization founded in December 2001 with a focus on improving software security. It boasts tens of thousands of members and over 250 chapters globally, dedicated to organizing educational and training conferences on software security.

The breach was discovered in late February 2024 after OWASP received several support requests, revealing that the Media Wiki misconfiguration led to the exposure of some members' resumes online. OWASP's Executive Director explained that collecting resumes was a part of the early membership process to demonstrate a connection to the OWASP community, a practice that has since been discontinued.

The breach exposed individuals who joined OWASP between 2006 and 2014 and had submitted their resumes as part of the membership process at that time. The resumes included personal information such as:

• names,
• email addresses,
• phone numbers,
• physical addresses,
• other personally identifiable information (PII).

About 1,000 resumes were on the compromised server, but it's not clear if some were duplicates.

OWASP has initiated several corrective measures, including disabling directory browsing and reviewing the web server and Media Wiki configuration for additional security vulnerabilities. All resumes have been removed from the wiki site, and the Cloudflare cache has been purged to prevent further unauthorized access. OWASP also contacted the Web Archive to request the removal of the exposed resume information.

Affected individuals, many of whom may no longer be members and whose personal information may now be outdated, will be notified by OWASP via email about the incident.