back to article So, what happened with GitHub, Heroku, and those raided private repos?

GitHub says it has identified and alerted developers who have had their private repositories accessed and downloaded via stolen authentication tokens. In this multifaceted fiasco, Microsoft-owned GitHub insisted its security was not breached. Instead, we're told, "compromised OAuth user tokens from Heroku and Travis-CI- …

  1. Pascal Monett Silver badge

    Bit by bit, we will learn

    All these online repositories are teaching us security in a way a classroom just couldn't.

    There's nothing like real-life situations to raise awareness, and the Internet makes security a 24/7 affair.

    I guess in ten years' time, there will be exhaustive classes on security, full of "lessons learned" (or an Internet Security For Dummies* book), that will actually be useful enough to ensure that people who take them will know all of what to avoid.

    * : yes, I know, there is one already. What I mean to say is that, in a decade or so, we'll likely have enough experience to ensure that all aspects are covered, including online repositories, stacks and other VMs. We're not done finding out how our data can be hacked, is what I'm saying.

    1. Doctor Syntax Silver badge

      Re: Bit by bit, we will learn

      In ten years time there'll be fresh categories of lessons to learn and that will be in addition to the existing lessons, still unlearned by those who will learn by no teacher other than experience.

  2. Will Godfrey Silver badge


    So contrary to Google's apparent claims Oauth everywhere isn't the ultimate answer to security. There are other factors. Who knew?

    Oh well, back to Password password on all my accounts then :P

  3. Anonymous Coward
    Anonymous Coward

    Compromised AWS API key the root?

    So, are we to read into this that somewhere in a repo on GH, someone had stored the AWS creds IN THE CODE?

    Of course this happens all the time, even accidentally. Been there done that, got t-shirt.

    Now, I feel I spend half my time barracking my fellow colleagues not to hardcode anything. AND THEY STILL DO IT.

    We even got compromised because the creds were hardcoded somewhere.... AND THEY STILL DO IT!!

    You can lead a horse to water, but you can't force it to drink,,,,,,,,

    1. Anonymous Coward
      Anonymous Coward

      Re: Compromised AWS API key the root?

      You're not using enough water.

    2. Missing Semicolon Silver badge

      Re: Compromised AWS API key the root?

      That's how GitOps works.

  4. oiseau

    You can lead a horse to water, but you can't force it to drink ...

    Quite so.

    But in the case of your fellow colleagues, I'd say it is more like what this famous quote says:

    "Mama says, 'Stupid is as stupid does.'" *

    * Tom Hanks in 'Forrest Gump' - 1994


  5. Anonymous Coward

    The cloud is someone else's computer...

    ... and not always only the computer of the one you have transferred your data to...

  6. Anonymous Coward

    Rotten Phish

    OAuth is only as good as its tokens. The tokens are only as good as the company that issues them. The company that issues them is only as good as their internal policies. BUT

    This looks like an Heroku employee stupidly fell for a phishing scheme and with his OAuth token the raiders proceeded to raid, as is their wont.

    It's easy to identify stupid employees after the screw up. Identifying employees who are susceptible to phishing is impossible. Just ask the Nigerian Prince.

  7. Kev99 Silver badge

    But, but, storing yor data in the "cloud" is perfectly safe. No one would ever be able to steal anything.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like