Uber breach: How did a private GitHub repository fail Uber?

The recent Uber breach calls into question the use of code repositories. Expert Matt Pascucci explains how the breach of GitHub and Amazon Web Services occurred.

The recent Uber breach saw attackers obtain credentials to a private GitHub repository, which they then used to...

access the company's network. Is a private repository well-protected from threat actors? Should enterprises think twice about using services like GitHub for fear of exposing sensitive information?

Over the past couple of years, Uber has received a few black eyes when it has come to security. The news of the latest Uber breach involving a private code repository should remind users that code repositories are often targets for attackers due to developers' sloppy coding practices. We've seen many organizations publish code that included passwords and private keys publically to GitHub.

Many people seem to jump the gun when considering this breach. I've spoken to a few people about this, and Uber wasn't hosting their code on a public version of GitHub. That being said, there are obvious concerns about hosting data on a third-party site without having additional security controls in place. It's unclear what, if any, controls were in place for Uber's repository and how the hackers obtained access to it.

In this instance, there were two third-party services at play: GitHub and Amazon Web Services (AWS). It was reported that the attackers used login credentials found in the repository to access Uber's AWS environment. They were then able to further sift through the AWS infrastructure until they found sensitive data that was valuable enough to sell.

Personally, I think this is less of a code repository issue and more of a general security failure because, in this scenario, there were multiple areas of failure that led to the data breach.

That being said, there are obvious concerns about hosting data on a third-party site without having additional security controls in place.

First things first: Let's not publish passwords, tokens or encryption keys in software code itself. This is just good practice, and starting there will help to develop a resilient threat model. The same advice goes for both public and private code being stored in repositories.

Likewise, when authenticating to both GitHub and AWS, using multifactor authentication for both is not only possible, but highly recommended.

There are risks when using third-party code repositories, as the Uber breach demonstrated, but many third-party providers offer security features that should be utilized. In this particular instance, it seems that they weren't used, and were possibly ignored.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in February 2018

Dig Deeper on Data security breaches



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use GitHub and AWS private repositories? If so, how do you think the Uber breach will impact that use?