The online assessment and certification website Scrum.org has notified its users of a hack that might have compromised their personal information.
A Scrum.org member named “KB” recently sent The Register an email they received from the website’s IT team notifying them and other customers of the breach.
The email notes that on May 26, Scrum’s security teams launched an investigation into an issue involving the website’s outgoing mail server. They soon determined that the website was not properly sending out emails used to communicate initial passwords to new members.
Eventually, the certification body’s IT professionals found that someone had modified the website’s mail server settings and had set up a new administrator user account.
It didn’t take long for Scrum.org to find out how the attackers had obtained the access to make those changes. As the email explains:
“The very next day, we were informed by one of our software vendors that we use to operate the website that their software contained a newly discovered vulnerability, which accounted for the issues we had seen. We immediately confirmed the applicability of the vulnerability and followed all of our vendor’s instructions to ensure the vulnerability was resolved.”
Scrum.org goes on to warn in the email that the hack might have compromised users’ personal information, including their user’s names, email addresses, encrypted passwords, the password decryption key, completed certifications, their associated test scores, and possibly even their photo avatars.
It is careful to point out, however, that it was unable to confirm that unauthorized individuals either stole or used those pieces of information.
At this time, there is no evidence that the hack compromised users’ financial information.
The Register has reached out to Scrum.org and asked them to provide more information about the security incident. In the meantime, all Scrum members and customers should change their passwords and be on the lookout for phishing attacks targeting their email addresses.