OWASP data breach compromises the resumes of some of its past members 

Home » Blog » OWASP data breach compromises the resumes of some of its past members 

OWASP data breach compromises the resumes of some of its past members 

The globally renowned non-profit group OWASP, which works on the improvement of web application security, has recently been targeted by attackers through a data breach. 

OWASP became aware of the breach in late February 2024 upon receiving support requests. 

What has happened? 

The attackers have effectively exploited a misconfigured WikiWeb server, allowing them to snoop into some of the OWASP’s old members’ resumes and personal data. 

The affected members are from the range 2006 to 2014, making it highly challenging for OWASP to inform them about their personal details being breached. 

It comes as almost an irony. OWASP (Open Web Application Security Project) is one of the world’s top organizations known for its comprehensive online freely available methods, documents, articles, tools, and technology, that helps secure web applications globally.  

What was compromised? 

The OWASP foundation added that among the compromised data were personally identifiable information such as names, phone numbers, and addresses. 

Although the data that is compromised is at least 10 years old and belongs to old members, it poses a significant risk to OWASP and its members given how big the community is. 

Currently, it has more than ten thousand members across 100s of countries worldwide. Attackers could simply engage in luring the members through phishing campaigns tailored via the leverage of these personal data. 

They could further engage in stealing the identity of previous OWASP members to reach out to other members or engage in illegal activities using the identities. 

OWASP was used to collect resumes as a procedure of membership between 2006 to 2014. The online community has stopped collecting resumes for a long time as part of their membership process. 

Actions taken by OWASP 

To rectify the breach, OWASP has reviewed their web server, disabled browsing of the directory checked the Media Wiki configuration for security issues, and removed all the compromised resumes from the site. They have purged all the CloudFlare cache as a proactive measure to prevent further access and have requested the removal of information from the Web Archive. 

Since the data breach, OWASP has started reaching out to all the parties that could have been affected, on their email addresses warning them of their compromised details and the risk of getting fraudulent SMS, messages, and calls. 

The community has expressed its concern over the matter to its members, given its reputation for rendering effective strategies, solutions, and resources for cybersecurity.  

They have issued a detailed advisory on their site for the parties that could have been affected by the breach.   


Experience end-to-end management
of statutory and regulatory compliance
through our dedicated service for compliance

Explore More >

Latest Post