Don’t go dissing DevOps: a supplier has ‘fessed up to a website vuln
Scrum.org, the Scrum certification and training site run by Scrum co-creator Ken Schwaber, appears to have contacted users to warn them of a nasty security breach.
Reg reader “KB” has sent us an email sent to Scrum.org members and customers that says “On May 26, 2016, we noticed an issue with the Scrum.org website outgoing mail server.”
“Upon investigation, we determined that emails used to communicate initial passwords were not being sent.
After further investigation, our information technology professionals discovered that some of our mail server settings had been modified and found one new administrator user account.”
“The very next day, we were informed by one of our software vendors that we use to operate the website that their software contained a newly discovered vulnerability, which accounted for the issues we had seen. We immediately confirmed the applicability of the vulnerability and followed all of our vendor’s instructions to ensure the vulnerability was resolved.”
The email goes on to say “… we have determined that user’s names, email addresses, encrypted passwords, the password decryption key, and completed certifications and their associated test scores may have been compromised, but at this time we are not able to confirm that any of these items were actually taken, nor is there any evidence that any of this information was used by an unauthorized individual.”
Even users’ photo avatars may have been pinched.
One small upside: the company says “No financial information was involved in this incident.”
We’ve contacted Scrum.org to ask if they can tell us more about the breach and will update this story if new information becomes available. ®
Sponsored: Rise of the machines