Scrum.org certification and training website hacked, blames software supplier the breach
Scrum.org started notifying users of a data breach last night that their account information might have been compromised after hackers exploited a new vulnerability in third party software used to operate the website. Even though there is no evidence that the attacker has actually stolen or misused any of the exposed information, the organization warned their users to change their passwords.
Scrum.org provides training, assessment and certifications for the Scrum agile software development framework. In an email sent to customers that says “On May 26, 2016, we noticed an issue with the Scrum.org website outgoing mail server.”
Yes, it's legit. We've taken steps to resolve the issue. Please email firstname.lastname@example.org with any questions you may have.
— Scrum.org (@Scrumdotorg) May 31, 2016
“Upon investigation, we determined that emails used to communicate initial passwords were not being sent. After further investigation, our information technology professionals discovered that some of our mail server settings had been modified and found one new administrator user account.”
“The very next day, we were informed by one of our software vendors that we use to operate the website that their software contained a newly discovered vulnerability, which accounted for the issues we had seen. We immediately confirmed the applicability of the vulnerability and followed all of our vendor’s instructions to ensure the vulnerability was resolved.”
Cheers @Scrumdotorg for losing my toxic waste. You didn't confirm in your notification whether the passwords were salted? Key detail that
— toxicdata (@toxicdata) May 31, 2016
The organization also warned its users via email that their usernames, email addresses, encrypted passwords, password decryption keys, certification information, and profile pictures might have been stolen by malicious actors.
In addition, the organization also pointed out that the incident did not involve any financial details, and that no other information is stored on its servers. However, the website’s operators said that user profile pictures were stolen. It is not unclear how many users are affected by the breach.
After carrying out an examination of the problematic email server, the Scrum.org team found out that someone had illegally accessed its server, added a new administrator account, and had made changes to the server settings.
Scrum.org patched the vulnerability and the malicious admin account was removed. User passwords have been reset and the website has promised to move to a different software vendor this summer — one that provides better password security.
Meanwhile, the company has reset passwords for all its users, who will be prompted to choose a new one the next time they log in.