The Open Worldwide Application Security Project (OWASP) Foundation on Friday announced that the personal information provided by aspiring members over a decade ago was exposed in a data breach.
With tens of thousands of members, the OWASP Foundation is an online community that seeks to improve software security through open source projects and freely available articles, documentation, technologies, and tools for IoT, software, and web applications.
On March 29, OWASP revealed that a misconfiguration on its old wiki server resulted in the exposure of information provided in resumes that aspiring members were required to submit over a decade ago.
OWASP was launched in September 2001 and, as part of its early membership process, members were required to show a connection to the community. It collected resumes between 2006 and 2014.
“If you were an OWASP member from 2006 to around 2014 and provided your resume as part of joining OWASP, we advise assuming your resume was part of this breach,” the foundation says.
The exposed information, OWASP says, includes names, addresses, phone numbers, email addresses, and other personally identifiable information.
After identifying the misconfiguration in February 2024, the organization reviewed the wiki configuration for other security weaknesses, completely removed the resumes from the site, disabled directory browsing, purged the Cloudflare cache, and requested for the data to be removed from the Web Archive.
OWASP says it is in the process of notifying the impacted individuals via the email addresses identified during its investigation into the incident.
“We are bringing this issue to the broader public’s attention with abundant caution. As many of the individuals affected by this breach are no longer with OWASP and the age of the data is between ten and 18 years old, a great deal of the personal details included in this breach are significantly out of date, making contact difficult,” the foundation says.
While the impacted individuals do not need to take immediate action to secure their information, since OWASP has already removed it from the internet, taking the usual precautions is necessary if the exposed information is current.
Related: Massachusetts Health Insurer Data Breach Impacts 2.8 Million
Related: Mintlify Data Breach Leads to Exposure of Customer GitHub Tokens