Startups be careful…. Watching a company get hacked
Working in the security and privacy space is an incredibly exciting and fast paced environment that never fails to keep you on your toes.
It wasn’t long ago that from a small mistake, a customer watched a successful attack unfold. Before the client could do anything, it was too late.
Full disclosure: This occurred on a test account and no personal or sensitive information was compromised, but it caused embarrassment and realisation that had the product gone further it could have been a lot worse.
Timeline of events:
- Company is a startup that uses github for version control and sharing code within team
- Company doesn’t have a private repo as at this stage it is nothing of importance (this is one of the key problems)
- Continues to build and what was once a quick test, turns into something more detailed
- Company then purchases commercial version and gets a private repo
- Next day their “email provider” account is compromised and locked out with nothing that can be done to fix it bar wait days for the email provider support team to respond.
- Domain used for sending out phishing emails (luckily it was not an authenticated domain and used the email providers generic string)
Public repositories are made for public information! credentials should not be stored, especially if you are planning on using them moving forward. When the individual noticed that the repo had gone private, they quickly compromised the account and did what they could and it took two days for the mail provider to freeze the account and restore access.
- Clean up your public repositories if you have them as you never know what can be used to build up an intelligent picture of your organisation / app.
- If you have staff using these services, ensure they are under company control to ensure that sensitive information can be cleaned up and managed properly.
- Track and manage credentials in a secure place to ensure that you can reset and redistribute in a quick and efficient way.
- Use a tool to set you tasks for how to be secure in any area, devops, assurance or compliance like the app at periculo.co.uk — you can make use of the free trial to get a free assessment.