OWASP discloses data breach caused by wiki misconfiguration

The OWASP Foundation has disclosed a data breach after some members' resumes were exposed online due to a misconfiguration of its old Wiki web server.

Short for Open Worldwide Application Security Project, OWASP is a nonprofit foundation launched in December 2001 and focuses on software security.

It now has tens of thousands of members and more than 250 chapters that organize educational and training conferences worldwide.

OWASP says it discovered the Media Wiki misconfiguration in late February following several support requests.

The incident only affected members who joined the foundation between 2006 and 2014 and provided resumes as part of the old membership process.

"The resumes contained names, email addresses, phone numbers, physical addresses, and other personally identifiable information," said OWASP Executive Director Andrew van der Stock.

"OWASP collected resumes as part of the early membership process, whereby members were required in the 2006 to 2014 era to show a connection to the OWASP community. OWASP no longer collects resumes as part of the membership process."

The foundation will email affected individuals to notify them of the incident even though many of them are no longer members and the exposed personal details are, in many cases, out of date.

​OWASP also took several measures to address the data breach, disabling directory browsing and reviewing the web server and Media Wiki configuration for other security issues.

To prevent further access, they removed all resumes from the wiki site and purged the Cloudflare cache. Additionally, OWASP reached out to the Web Archive and requested that the exposed resume information be removed.

"OWASP has already removed your information from the Internet, so no immediate action on your part is required. Nothing needs to be done if the information at risk is outdated," van der Stock added.

"However, if the information is current, such as containing your mobile phone number, please take the usual precautions when answering unsolicited emails, mail, or phone calls."