720-891-1663

Return to the list of client alerts

Repeat After Me

While this has been a forever problem, it seems to be that hackers are using it more lately.

A Dutch researcher says that over the last 18 months he has found and reported credentials stored in public repositories in Github.

Most recently he found 9 U.S. organizations exposed the protected health information of 150,000 patients by storing access credentials in Github.

The researcher, along with a privacy advocate who goes by the handle Dissent published a report entitled “No Need to Hack When It’s Leaking: GitHub Healthcare Leaks Protected Health Information On the Public Web.”

Worse yet, most of the entities did not respond to initial attempts to contact them to report the exposure.

Among the 9 organizations are AccQData, MaineCare, MeddPro Billing and Texas Physicians House Calls.

And it is not only small companies that make this mistake; Uber paid a $100,000 bug bounty to a researcher who discovered hard coded credentials to an S3 bucket with backup data for 57 million accounts.

So what should you repeat after me: DO NOT HARD CODE CREDENTIALS. DO NOT PUBLISH CREDENTIALS TO GITHUB OR OTHER PUBLIC REPOSITORIES.

Know what else you need to worry about? Your third party providers who have your data doing the same thing because YOU are the one that will hung out to dry if they screw up.

This is just one piece of developer training for a secure software development lifecycle (SSDL) program. If you do development or contract development out to a third party, an SSDL needs to be part of your security program. Contact us for details. Credit: Data Breach Today