Some trouble has befallen Scrum.org, the Scrum certification and training site, following a security breach that compromised the information of multiple users. A hacker used software vulnerabilities to modify several mail server settings, and from there obtained sensitive user information over the course of a few days.

The breach was discovered when Scrum staff noticed an issue with the website outgoing mail server, which they discovered to have been altered, including the addition of a new administrative account. Shortly after, one of their software vendors contacted them about a newly discovered vulnerability in the software, which allowed for the breach.

Following the attack, hackers managed to access the usernames, email addresses, and users’ completed certifications and test scores, as well as both encrypted passwords and the password decryption key. It’s even possible that photo avatars have been taken, although there would be little purpose to that.

Fortunately, no financial information has been compromised. Scrum.org also notes that it cannot confirm how much information was actually taken, if any.

After receiving notification of the breach, The Register reports, Scrum.org staff immediately followed the vendor’s instructions to close the vulnerability that allowed for it to happen. The website also contacted its customers, alerting them to the breach, although some have been expressing their disapproval at how easily both the encrypted passwords and encryption key were stolen.

Notice of data breach by Scrum: "[stolen data includes] encrypted passwords, the password decryption key" wait what???

— Andreas Arnold (@featureenvy) June 1, 2016

Still, Scrum.org is working quickly to resolve the issue. Anyone with an account on the website should do the same, and change their passwords immediately, as well as any identical passwords on other websites. It’s never too early to react to a data breach.

Photo by elefevre7