OWASP Foundation warns members of data breach after discovering 1,000 resumes on Wiki server

The software security nonprofit Open Worldwide Application Security Project (OWASP) has warned its members of a possible data breach potentially affecting anyone who was a member of the organization from 2006 to 2014. 

The foundation published an advisory on Friday explaining that in late February it became aware of an old Wiki server that contained decade-old resumes. 

The organization calls itself the “world’s largest non-profit organization concerned with software security” and has more than 250 chapters around the world with tens of thousands of members. 

OWASP Foundation Executive Director Andrew van der Stock told Recorded Future News that aout 1,000 resumes were on the server but he was not sure if there were duplicates.

Van der Stock said he does not believe anyone outside of OWASP staff ever accessed the server, noting that it was archived once by the Wayback Machine back in 2023 and never re-indexed. 

“Unfortunately, the log retention policy on the small VPS [Virtual Private Server] it was hosted upon only means we have limited logs, so we don't think it was widely accessed, but as the misconfiguration dates back to at least 2019 when the VPS was first stood up, we simply don't know, and as the file system is small, any old data would have been long overwritten even if forensics was possible,” he said.  

Van der Stock added that the directory where the resumes were located was not easily found because it was not indexed and separate from the organization’s Wiki installation. 

“So in all likelihood, considering that we only just got our first support tickets about it means that it wasn't widely accessed prior to February 2024,” he said. 

In the advisory, OWASP said anyone who was a member from 2006 to 2014 and had submitted a resume should assume their information was part of the breach.

The organization says it collected the data as part of an early membership process where prospective applicants were required to show connections to the OWASP community. The organization no longer requires the submission of resumes as part of the membership process, and it now uses a variety of cloud-based security practices to protect member information. 

In an effort to rectify the situation, OWASP said it has “disabled directory browsing, reviewed the web server and Media Wiki configuration for other security issues, removed the resumes from the wiki site altogether, and purged the CloudFlare cache to prevent further access.” 

“Lastly, we have requested that the information be removed from the Web Archive,” the organization said. 

OWASP added that it was forced to bring this issue to the public because many of those potentially affected are no longer members of the organization and do not have up-to-date contact information, making it difficult to notify them. 

Those affected do not need to take any action, according to OWASP, because they removed the information from the internet. But they warned that if any of the information in the resumes is still current, victims should be wary of emails, phone calls and other scam attempts. 

“We recognize the significance of this breach, especially considering the OWASP Foundation’s emphasis on cybersecurity. We apologize to those affected by the breach and are committed to ensuring that this does not happen again,” the notice said. 

“We are reviewing our data retention policies and will be implementing additional security measures to prevent future breaches.”