Uber breach: How did a private GitHub repository fail Uber?

The recent Uber breach saw attackers obtain credentials to a private GitHub repository, which they then used to access the company's network. Is a private repository well-protected from threat actors? Should enterprises think twice about using services like GitHub for fear of exposing sensitive information?

Over the past couple of years, Uber has received a few black eyes when it has come to security. The news of the latest Uber breach involving a private code repository should remind users that code repositories are often targets for attackers due to developers' sloppy coding practices. We've seen many organizations publish code that included passwords and private keys publically to GitHub.

Many people seem to jump the gun when considering this breach. I've spoken to a few people about this, and Uber wasn't hosting their code on a public version of GitHub. That being said, there are obvious concerns about hosting data on a third-party site without having additional security controls in place. It's unclear what, if any, controls were in place for Uber's repository and how the hackers obtained access to it.

In this instance, there were two third-party services at play: GitHub and Amazon Web Services (AWS). It was reported that the attackers used login credentials found in the repository to access Uber's AWS environment. They were then able to further sift through the AWS infrastructure until they found sensitive data that was valuable enough to sell.

Personally, I think this is less of a code repository issue and more of a general security failure because, in this scenario, there were multiple areas of failure that led to the data breach.

That being said, there are obvious concerns about hosting data on a third-party site without having additional security controls in place.

First things first: Let's not publish passwords, tokens or encryption keys in software code itself. This is just good practice, and starting there will help to develop a resilient threat model. The same advice goes for both public and private code being stored in repositories.

Likewise, when authenticating to both GitHub and AWS, using multifactor authentication for both is not only possible, but highly recommended.

There are risks when using third-party code repositories, as the Uber breach demonstrated, but many third-party providers offer security features that should be utilized. In this particular instance, it seems that they weren't used, and were possibly ignored.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)