14 DAY TRIAL // Scrum.org started notifying users of a data breach last night, warning them to change their passwords, even if it had no evidence that anything had been stolen from its servers.
In an email sent to customers, obtained by Softpedia, Scrum.org reveals that last week, on May 26, its webmasters noticed a problem with the company's outgoing email server, which was not sending the emails with the newly created passwords to all new users who were signing up for the website.
Vulnerability in email server software led to data breach
After an investigation of the problematic email server, the Scrum.org team discovered that someone had illegally accessed its server, added a new administrator account, and had modified server settings.
The next day, Scrum.org received a notification from one of their software suppliers, informing the company of a newly discovered vulnerability in the email server's software.
The Scrum.org team verified their email installation and confirmed the vulnerability had been used to compromise its infrastructure. The team also took steps to mitigate the threat.
No financial information taken, passwords were salted
A subsequent investigation could not confirm if the person behind the attack had actually stolen anything from Scrum.org's servers. On its side, the service says the attacker had access to usernames, email addresses, encrypted passwords, the password decryption key, and completed certifications and their associated test scores.
The website's operators also said that user profile pictures were also stolen, but no financial information was stored on the server. For its part, Scrum.org salted the passwords, making them harder to crack.
In the meantime, the company has reset passwords for all its users, who'll be prompted to choose a new one the next time they log in.
Scrum.org handled the data breach professionally
Scrum.org is a website where developers come to obtain certification in "Scrum," a software development framework built on modern Agile software development principles. The site might not look important at first glance, but it's very popular among developers, and Scrum.org claims that it has provided more than one million certification and open assessments since it started.
For its part, Scrum.org has been admirable, providing customers with an in-depth explanation of what happened, and replying to every disgruntled tweet on social media.
Below is a screenshot of the Scrum.org data breach notification email, as well as a couple of tweets from the company confirming the breach. We skipped over the angry customer tweets, since there were quite a few of them, showing again the platform's popularity.
@Mister_Goodcat Yes, it's legit. We've taken steps to resolve the issue. Please email [email protected] with any questions you may have. — Scrum.org (@Scrumdotorg) May 31, 2016
@toxicdata We can confirm that the passwords were salted. Please email [email protected] with any further questions you may have. — Scrum.org (@Scrumdotorg) May 31, 2016
h/t Philippe-Arnaud