A hacker gained entry to inside recordsdata and paperwork owned by safety firm and SSL certificates issuer Comodo through the use of an e-mail deal with and password mistakenly uncovered on the web.
The credentials had been present in a public GitHub repository owned by a Comodo software program developer. With the e-mail deal with and password in hand, the hacker was in a position to log into the corporate’s Microsoft-hosted cloud providers. The account was not protected with two-factor authentication.
Jelle Ursem, a Netherlands-based safety researcher who discovered the credentials, contacted Comodo vice chairman Rajaswi Das by WhatsApp to safe the account. The password was revoked the next day.
Ursem informed TechCrunch that the account allowed him to entry inside Comodo recordsdata and paperwork, together with gross sales paperwork and spreadsheets within the firm’s OneDrive — and the corporate’s group graph on SharePoint, permitting him to see the workforce’s biographies, contact data together with cellphone numbers and e-mail addresses, photographs, buyer paperwork, calendar, and extra.
He additionally shared a number of screenshots of folders containing agreements and contracts with a number of clients — with the names of shoppers in every filename, comparable to hospitals and U.S. state governments. Different paperwork seemed to be Comodo vulnerability reviews. Ursem’s cursory assessment of the information didn’t flip up any buyer certificates personal keys, nonetheless.
“Seeing as they’re a safety firm and provides out SSL certificates, you’d assume that the safety of their very own surroundings would come first above all else,” stated Ursem.
However in accordance with Ursem, he wasn’t the primary individual to seek out the uncovered e-mail deal with and password.
“This account has already been hacked by any person else, who has been sending out spam,” he informed TechCrunch. He shared a screenshot of a spam e-mail despatched out, purporting to supply tax refunds from the French finance ministry.
We reached out to Comodo for remark previous to publication. A spokesperson stated the account was an “automated account used for advertising and marketing and transactional functions,” including: “The information accessed was not manipulated in any manner and inside hours of being notified by the researcher, the account was locked down.”
It’s the most recent instance of uncovered company passwords present in public GitHub repositories, the place builders retailer code on-line. All too usually builders add recordsdata inadvertently containing personal credentials used for internal-only testing. Researchers like Ursem recurrently scan repositories for passwords and report them to the businesses, usually in trade for bug bounties.
Earlier this yr Ursem discovered a equally uncovered set of inside Asus passwords on an worker’s GitHub public account. Uber was additionally breached in 2016 after hackers discovered inside credentials on GitHub.