Alert of the Month: Code Repository Gone Bad

Recently, CybelAngel encountered one of the most dangerous types of data leak: source code from an accidentally exposed repository. Code repositories, most commonly GitHub, are incredible tools for engineers, systems architects, and developers to write, test, and publish code into production. By creating a repository with their company credentials, employees can access and work on their coding project anywhere or anytime so long as they have internet access. But just saying code does not cover the breadth of information available. Repositories help write, test, and publish code into production information such as logic, functions, credentials, API calls, data sets for internal and external services, tokens, and more are available. In some cases hard coded API keys and tokens are available. The accretion of critical digital assets is precisely what makes exposed code repositories so dangerous. A single repository can hold all the information needed to orchestrate a massive data breach, ransomware, or other cyber attacks. Our clients rely on CybelAngel’s Data Breach Prevention solution to locate unknown and exposed code repositories on platforms such as GitHub. Recently, our analyst found such a repository, and they hit the motherload. In a personal public repository created using their company credentials, a developer stored access tokens to its Customer Relationship Management software, including credentials to multiple development, testing, and live environments. Aside from the access that threat actors could gain from the exposed credentials, several sensitive data were available, including PII, PINs, bank account information, confidential documents, and personal data. Possibly most concerning were credentials that give access to the company “data lake” and their governance, risk, and compliance efforts. Having these publicly exposed creates an opportunity for SEC investigations and fines. If threat actors had encountered this repository, they would have everything they need for spear phishing, network penetration, IP theft, fraud, or theft. All of these risks were created by a single unintentional act of negligence. Our analysts suspect that the owner of the repository was unaware that it was public. After investigating this cloud app breach, our analyst team informed our clients and created a remediation plan. Remediating any kind of leak requires multiple steps. With so many potential dangerous assets exposed different strategies were needed. The exposed credentials opened our clients to too many cyber threats to list, so our first recommendation was to change all of the exposed credentials rendering them moot. The next step was to remove the repository either by shutting it down or changing it to private. In code repository cases erasing sensitive data is not enough, as the platform keeps a history of all past modifications. You must either locate the owner to have them make the needed changes or work with the platform directly. Working with the owner is typically faster and should be the first option. While this incident included a particularly dense and dangerous leak, this story is quite common. Nearly every organization has a need for such code repositories, making this risk ubiquitous. This is why companies benefit from digital risk protection services like CybelAngel’s Data Breach Prevention. Our comprehensive internet scanning helps locate data leaks from all public GitHub code repositories, cloud storage buckets, exposed databases. This allows us to locate third-party risks and inform our clients before threat actors target them. By proactively searching for these leaks, you protect your company, customers, and employees in one go.