Misconfigurations of security controls put systems and data at high risks of data and identity theft. Lately, some large enterprises suffered data leaks as a result of misconfigurations in their infrastructure, and a hacker collated it all at one place.
Operation 'Confidential & Proprietary'
In July 2020, a developer and reverse engineer ‘Tillie Kottmann’ was able to gain hold of source code from exposed repositories of more than 50 companies.
- The researcher collected the leaks from various sources and from their hunting for misconfigured DevOps tools that offer access to source codes. These leaks, named as “exconfidential” or “Confidential & Proprietary,” were available in a public repository on GitLab.
- The impacted companies belong to various domains (tech, finance, retail, food, eCommerce, and manufacturing). The leak list includes big names such as Adobe, Lenovo, Intel, AMD, Qualcomm, Microsoft, Motorola, Mediatek, GE Appliances, Hisilicon (owned by Huawei), Nintendo, Roblox, Disney, and Johnson Controls, among others.
- According to Bank Security, the finding also included hardcoded credentials in the easily-accessible code repositories, which can cause direct harm or contribute to a larger breach.
More Source Code Hunting
Experts believe that there are more companies with misconfigured DevOps tools exposing source code.
- In late July, the Nintendo leak - Gigaleak - was found containing source code and development repos of multiple classic games.
- Other notable source code leak incidents include Mercedes-Benz onboard logic unit (OLU) in May 2020, Microsoft’s Xbox and Windows NT 3.5 in May 2020, and Valve’s Counter-Strike: Global Offensive in April 2020.
There have been several infamous source code leaks in the past as well, including those related to iPhone’s core software, called iBoot code leak in February 2018, and Microsoft Windows 10 source code leak in February 2018. These leaks uncovered the internal details of the world’s most popular operating systems, putting millions of users at risk. It shows that technology companies need to implement proactive security measures to better protect their software infrastructure and intellectual properties.