OWASP reveals member info exposed in recently discovered leak

OWASP, a global foundation that advocates for software security, apologized to thousands of its members this past weekend after revealing that the non-profit had been leaking member's personal information on the web for years.

The Open Worldwide Application Security Project, more commonly known as OWASP, said it became aware of the data leak in late February after several requests were submitted to tech support by community members.

OWASP Executive Director Andrew van der Stock said the the leak was due to a misconfiguration in OWASP’s old Wiki web server.

“We recognize the significance of this breach, especially considering the OWASP Foundation’s emphasis on cybersecurity," van der Stock said in a 'Data Breach Notification posted on the OWASP website Friday.

Database of resumes

The notification confirms a database containing “decade-old member resumes” may have been unknowingly accessed by any third party aware of the open server.

“If you were an OWASP member from 2006 to around 2014 and provided your resume as part of joining OWASP, we advise assuming your resume was part of this breach,” van der Stock said.

“We have no way of knowing whom has accessed the information,” OWASP Director of Community Development Jason C. McDonald told Cybernews.

"The misconfiguration of the server five years ago meant that the information was on the public internet without our knowledge," he said.

McDonald also told Cybernews that he was the OWASP staff member who received the report from the community, and was responsible for investigating and mitigating the leak.

"The fact we didn't realize this is still a point of concern for us, and has led to significant changes to our approach to infrastructure management, McDonald said.

On Monday, OWASP also made sure to announce the leak to its followers on X.

“No joke, we did have a data breach in late March involving the resumes of our earliest members. Rest assured, all current membership data remains secure,” the foundation stated. “We recognize the unfortunate irony here, and are determined to make it our last breach,” it said.

It’s not clear how many members’ data may have been exposed, but the foundation boasts “250+ local chapters worldwide” and “tens of thousands of members” on the ‘About’ section of the website.

Jason Kent, Hacker In Residence at Cequence Security, said, "As a member and someone who participates in this community, this leak obviously makes me sad and ask questions."

“OWASP’s goal is to help organizations find problems with their web applications, application code, and server frameworks. To have a web application data breach is a bit of an egg on the face of OWASP as a whole,” Kent explained.

Yet, Kent also said that the security community is less about the “why” and more about doing what needs to be done to make it right. “We get to the heart of it, fix it, and make sure everyone knows what happened and how to stop it," he added.

Thousands of members affected

The resumes – collected from 2006 to 2014 as part of an earlier requirement to join the foundation – are said to have included members' names, email addresses, phone numbers, physical addresses, and other personally identifiable information.

Kent says the fact that the compromised data was “a decade to almost two decades old” doesn’t make the loss any better, but he applauds “OWASP for being open and honest and being an example of how to respond when the inevitable happens."

"If it can happen to an organization of volunteers that want the world to be a safer place, it can happen to your organization of security professionals dedicated to your environment being a safer place," he said.

OWASP also stated that because the data in question was more than a decade old, contact information is likely outdated for former members – and, therefore, will create a challenge for the foundation to notify potential victims of the leak. Regardless, OWASP said they will attempt to contact the “email addresses discovered during our investigations.”

For current members, OWASP states that at present, only minimal personal information is collected and retained in the cloud using best security practices such as two-factor authentication. Still, the foundation is urging caution for long-time members “when answering unsolicited emails, mail, or phone calls.”

Kent commented that if OWASP had "purged all data when they moved to the new systems a couple of years ago, this wouldn’t have happened."

Finally, OWASP said it has already removed all membership information from the Internet or requested that it be removed from the Web Archive.

“We have disabled directory browsing, reviewed the web server and Media Wiki configuration for other security issues, removed the resumes from the wiki site altogether, and purged the CloudFlare cache to prevent further access,” OWASP said.

OWASP apologized to those affected by the leak and said the foundation is currently reviewing its data retention policies and will implement additional security measures to avoid further breaches.

Kent compared the hack to another incident involving the US credit bureau Equifax, noting that “immediately prior to 2014, every person in the USA’s data was lost when Equifax was breached, and all of that data was extremely up to date.” In this case, Kent points out that OWASP no longer collects this data and has moved to new systems, highlighting the importance of robust data retention policies.

Founded in 2001, the US-based non-profit foundation uses community-led open-source projects 'to help improve the security of software,' as well as hosting local and global conferences, educational workshops, and forums.

The chapters are free and open to anyone interested in improving application security, OWASP states.