Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Adafruit discloses data leak from ex-employee’s GitHub repo

Adafruit has disclosed a data leak that occurred due to a publicly-viewable GitHub repository.

The company suspects this could have allowed “unauthorized access” to information about certain users on or before 2019.

Based in New York City, Adafruit is a producer of open-source hardware components since 2005. The company designs, manufactures, and sells electronics products, tools, and accessories.

Ex-employee’s GitHub repo had real customer data

On Friday, March 4th, Adafruit announced that a publicly-accessible GitHub repository contained a data set comprising information on some user accounts. This information included:

  • names
  • email addresses
  • shipping/billing addresses
  • order details
  • order placement status via payment processor or PayPal

The data set, according to Adafruit, did not contain any user passwords or financial information such as credit cards. However, the exposure of real user data, including order details, could be used by spammers and phishing actors to target Adafruit’s customers.

Interestingly, the data leak did not occur from Adafruit’s GitHub repository but that of a former employee. It appears that a former employee was using real customer information for training and data analysis operations in their GitHub repo.

“Within 15 minutes of being notified about the inadvertent disclosure, Adafruit worked with the former employee, deleted the relevant GitHub repository and the Adafruit team began the forensic process to determine what and if there was any access and what type of data was involved,” explained the company.

Users demand proper notifications

At this time, Adafruit is not aware of the exposed information being misused by an adversary and claims it’s disclosing the incident “for transparency and accountability.”

The company has, however, decided not to email every user about the incident.

Adafruit explains that although all security disclosures are published on the company’s blog and security pages, there is no action for the users to perform as no passwords or payment card information were exposed in the data analysis set.

“We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that we thought appropriately mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case,” state Adafruit’s Managing Director Phillip Torrone, and founder Limor “Ladyada” Fried.

But, not all Adafruit customers are convinced, with some demanding email notifications be sent out with regards to the incident:

A major concern among users is the presence of real customer information in a former team member’s GitHub repo, as opposed to using automatically-generated “fake” staging data. And, how this information could be misused by phishing actors:

It is worth noting, keeping real customer data in GitHub repositories, even private ones, is a risky decision.

Last year, e-commerce giant Mercari had suffered a data leak via their private GitHub repo exposing over 17,000 customer records including banking information. Rapid7 also suffered a data leak via private GitHub repo impacting a “small subset of customers.”

“We are additionally putting in place more protocols and access controls to avoid any possible future data exposure and limiting access for employee training use,” says Adafruit.

Advertisement. Scroll to continue reading.

Users should remain vigilant for any phishing scams or communications they may receive impersonating Adafruit staff. The company especially cautions against bogus “password reset” alerts that may entice victims into giving away their passwords.

Adafruit requests that concerns related to any such suspicious emails or unauthorized access attempts by threat actors be directed to security@adafruit.com.

Source: https://www.bleepingcomputer.com/news/security/adafruit-discloses-data-leak-from-ex-employees-github-repo/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The Cyber Safety Review Board will assess how a hacking group reportedly linked to China leveraged a vulnerability in Microsoft Exchange Online to access...

Cyber Security

A North Korea based threat actor targeting personal accounts of technology firms through low-profile social engineering attempts. This campaign utilizes a combination of repository...

Cyber Security

Researchers at the RWTH Aachen University in Germany published a study revealing that tens of thousands of container images hosted on Docker Hub contain...

Cyber Security

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. The...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO