Data breach in Scrum.org website exposes user data – update

A leak in Scrum.org’s system may have revealed names, email addresses, encrypted passwords, decryption key, certifications, and associated test scores. The organization reports this to users in an email.

In the email, the organization reports that issues with the outgoing mail server were discovered on May 26, 2016. An investigation revealed that emails that should normally be sent with temporary passwords were not sent, which was caused by changed settings. In addition, a new administrator account was discovered.

Subsequently, a software company that Scrum.org works with disclosed that its software contained a newly discovered vulnerability that caused similar problems to those on Scrum.org’s servers, leading to the vulnerability being fixed immediately.

Despite this, there is a good chance that a large amount of personal data has been stolen, including a possibly uploaded profile picture. It is not yet clear whether the information was indeed stolen. The organization has also not yet received any indications that the information has been used by others. Scrum.org says it does not store financial transaction information on its own servers, so such information cannot be compromised.

Scrum.org has reset all user passwords and advises users who use the same password elsewhere to change it as well.

Update June 2: through a user of Scrum.org we got the answer that Scrum.org gives to the request for more information. Little new information is given, other than that the decryption key of the passwords was also captured and that the passwords were salted, but not hashed. Implementing a hash function would not yet be possible immediately because this would require changes in certain interfaces. The entire response can be found on the The daily wtf forum.