Microsoft’s GitHub pages, which contain source code for virtually every product and service the company has released over the past two decades, are extremely popular among developers. However, a new report published today reveals that some of these developers may not be as careful as they should be when storing their credentials on the platform. Microsoft employees leaked company-sensitive data on Microsoft GitHub repositories.
Specifically, Sonatype said it had discovered something similar at Microsoft: While reviewing private repositories in past weeks, Sonatype researchers found “employees of a single large enterprise” uploaded 61 credentials associated with internal resources like internal web services, databases as well as other code repositories.
The company says it didn’t disclose the organization’s name because its researchers contacted the enterprise and notified them about the issue before publishing their findings in a blog post today.
Microsoft employees, who had access to the Company’s private GitHub repositories, placed more than 48,000 credentials on the open-source platform, a new report published today reveals.
Microsoft employees, who had access to the Company’s private GitHub repositories, placed more than 48,000 credentials on the open-source platform, a new report published today reveals.
Also Read: First 200W Fast Charging Phone in the World “iQOO 10.”
The data was posted on GitHub by an unidentified group of Microsoft developers and appeared to have been exposed accidentally.
While this may be one of the largest exposures ever seen on the platform, it is not unusual for companies to accidentally leak sensitive information online. In addition to being shared with any user who finds their way onto a repository through conventional means such as Google search or another website listing all public repositories available for download from GitHub itself (a practice that has since been discontinued). Some developers will even share their code publicly without realizing what they are doing—making it easy for anyone looking for an easy hack or just someone else’s credentials.
The report is titled “Data Exposure via GitHub Search” and was published by security firm Sonatype, which has also detected similar leaks in the past with Amazon and Chinese telecommunication companies.
Sonatype discovered the breach and has seen similar leaks in the past. In 2016, Sonatype found data from Amazon and Chinese telecom companies had been leaked on GitHub.
The report is titled “Data Exposure via GitHub Search” and was published by security firm Sonatype, which has also detected similar leaks in the past with Amazon and Chinese telecommunication companies.
Specifically, Sonatype found 2700 tokens belonging to Amazon employees and 340 to Huawei engineers.
A token is a unique identifier that can be used to access a specific resource. Tokens are often used to authorize access to web services, databases, or other resources. They can also be used as usernames and passwords for private repositories on GitHub.
New research from Sonatype has found 2700 tokens belonging to Amazon employees, 340 to Huawei engineers, and 1120 to IBM workers in the open-source code repository.
The list of leaked tokens was published by Troy Hunt in May 2019 and included over 600,000 records worldwide.
In both cases, the user-access tokens were leaked on GitHub because employees failed to read their Company’s internal guidelines that forbid this practice.
It’s important to note that the leaked data could have been used maliciously in some way, but it’s not possible for us to know for sure. It is also possible that the data was never used by hackers and therefore had no negative impact on Microsoft or its customers.
However, we do know how often this type of breach occurs at major companies–and it’s not uncommon.
In both cases, the user-access tokens were leaked on GitHub because employees failed to read their company’s internal guidelines that forbid this practice. This highlights an important fact: even though many companies have strict policies prohibiting certain behaviors on social media platforms and other online spaces, you must follow these rules yourself as a user (or employee).
Now, Sonatype said it had discovered something similar at Microsoft.
Now, Sonatype said it had discovered something similar at Microsoft. The Company’s data was also leaked online on GitHub, but this time by Microsoft employees instead of a third-party partner.
That’s not all: Sonatype also found that the repository containing Microsoft’s sensitive information had been open for anyone to see since last week. In addition to the usual vulnerabilities and exploits that come with such data leaks, there were internal documents from the company itself.
What makes this case even more worrisome is that these disclosures appear intentional rather than accidental—and Sonatype says they’re likely part of an ongoing effort within Microsoft itself. The repository page lists four contributors who added content between January 2016 and March 2018 (including one person who added six entries). Still, there could be more contributors than those listed on the page since only one contributor can be assigned per entry in GitHub repositories (there was no username associated with any other entries).
Also Read: The New “Google Wallet” Is Now Available To All Users
This suggests someone intentionally uploaded their work into this publicly accessible repository even though there were multiple warnings on how important it is for companies like Microsoft to keep their secrets safe from prying eyes online!
While reviewing private repositories in the past weeks, Sonatype researchers found “employees of a single large enterprise” uploaded 61 credentials associated with internal resources like internal web services, databases, and other code repositories.
While reviewing private repositories in the past weeks, Sonatype researchers found “employees of a single large enterprise” uploaded 61 credentials associated with internal resources like internal web services, databases, and other code repositories.
The credentials were not encrypted and were uploaded to public repositories. According to the researchers’ analysis of GitHub’s data, many of these breaches occurred because employees failed to read their company’s internal guidelines or did not know how to use GitHub properly.
The Company says it didn’t disclose the organization’s name because its researchers contacted the enterprise and notified it about the issue before publishing their findings in a blog post today.
The company says it didn’t disclose the organization’s name because its researchers contacted the enterprise and notified it about the issue before publishing their findings in a blog post today. The researchers also said they found evidence of similar leaks at other organizations and plan to investigate further.
“We believe that responsible disclosure works best when we can contact all parties involved at once,” said Marc Rogers, principal security researcher at Cloudflare, one of the researchers who first discovered data on GitHub. “This allows us to discuss our findings together and devise a plan for fixing them.”
Stolen data can be extremely valuable for hackers.
It’s not only the data itself that can be valuable to hackers. The fact that it was posted on GitHub leaves a trail of breadcrumbs for them to follow, allowing them to uncover more secrets about the company and its employees.
It may seem obvious, but stolen data can be used in multiple ways by hackers:
- Phishing attacks: If a hacker has access to your email address or other personal information, they can then use it to launch a phishing attack against you. This could result in you giving away more sensitive information—like your bank account number or social security number—which they can use for identity theft or fraud. It also gives them access to other accounts (like Facebook) linked with their victim’s email or phone number.
- Targeting specific individuals: Hackers will often gather as much information about their targets before making contact so that they know how best to manipulate those people into handing over sensitive information or even money. For example, attackers might find out about an employee’s birthday and send an official-looking email congratulating them on getting older! The attacker might even pretend he/she is someone else within the company who had sent the original request because “they forgot” what was being discussed when asked directly about why he/she needed such sensitive information from another employee!
Conclusion
Microsoft has stressed that it has a process in place for employees who have access to GitHub repositories and that it has since taken action against those who violated the company’s internal policies.
The company also said that it doesn’t believe any of these leaked credentials were used maliciously. Still, this is just another example of how easy it can be for people to expose private data online by accident—and why companies should make sure their employees know better than uploading sensitive information on open-source platforms without thinking twice about the consequences first!
