back to article Crooks copy source code from Okta’s GitHub repository

Intruders copied source code belonging to Okta after breaching the identity management company's GitHub repositories. Okta was alerted by Microsoft-owned GitHub earlier this month of "suspicious access" to its code repositories and determined that miscreants copied code associated with the company's Workforce Identity Cloud ( …

  1. elDog

    As long as it doesn't hurt the bottom line, these venture-capital funded companies don't care.

    A large swath of the US gov't uses Okta for identify management. And the contracts must be huge.

    Tying a breach like this to a loss of government assets and assigning monetary damages to the VC owners would be very difficult. There is no top-to-bottom accountability.

    In the end the taxpayer is screwed by the perps via loss of identity and services, and then screwed by the gov't to try to remedy the situation. Win-win for some, lose-lose for us.

    1. Sceptic Tank Silver badge

      Re: As long as it doesn't hurt the bottom line, these venture-capital funded companies don't care.

      I doubt they keep their customer records on GitHub. In fact, the article mentions that. Your pennies are safe.

    2. Sigmund Fraud

      Re: As long as it doesn't hurt the bottom line, these venture-capital funded companies don't care.

      Everyone uses Okta ... it is the 900 pound gorilla of the Auth business. They just gobble up all the good competitors

  2. Sceptic Tank Silver badge
    Windows

    Oaf0

    So out there in the cloud your project is FOSS for all intents & purposes. Some projects are just harder to fork than others.

  3. Black Label
    Black Helicopters

    App used by USA Defense

    If the app is used to protect USA Defense systems, believe me, the source code is worth a few million bucks.

    I would happily pay to analyze it, later exploit it.

    Remember the hacked RSA SecurID seeds? Lockheed Martin, L3 and others later?

    Yeap... Can all happen again :-)

    1. yoganmahew

      Re: App used by USA Defense

      Lastpass too started as source code breach. Like the article says, hard-coded credentials in code and scripts... infrastructure as service hsa it's downsides...

      1. Claptrap314 Silver badge

        Re: App used by USA Defense

        Secrets in source code is a full stop NO. IaC is no different, just a new set of excuses.

  4. Howard Sway Silver badge

    services like Okta's being so important to enterprises

    And yet this major vendor of mission critical security software thought it was just fine to trust their source code to somebody else's cloud service. OK, so the service wasn't hacked, but your code is instantly available once someone else can log in, from anywhere in the world.

    1. Anonymous Coward
      Anonymous Coward

      Re: services like Okta's being so important to enterprises

      We're spending 2 years and god knows how many $$$ moving off Atlassian because they no longer support on-prem, and we just make industrial displays. How in the unHoly Name of Balmer does a govt security system provider get away with having their source in github ?

  5. Version 1.0 Silver badge
    Joke

    "It is a good deed to forget a poor joke." - Brendan Behan

    I see so much happy commenting about Github these days but it looks like the original views and discussions of its' features, resulting in the name Github being used, have all vanished. But now we're seeing things happening that were thought to be potentials when the name Github first appeared. Originally today's levels of hacking, malware, and data thefts were not happening back then, so the name was just a joke.

  6. Richard 12 Silver badge

    Why outsource core functions?

    It seems very foolish for a software house to store its source code on somebody else's computer.

    Especially when that someone else is a direct competitor.

  7. Anonymous Coward
    Anonymous Coward

    Okta users don't care either

    A previous employer was compromised as a result of an earlier Okta breach. They continued with plans to go full-Okta anyways. Even DevOps. One more Okta breach would mean racing against hackers to regain control of all company assets. Believe me, the hackers would be far faster and better coordinated.

    I don't believe a word Okta says when they claim the source code isn't important for security. There will be names of people, insecure hacks, and likely old development access tokens in historical revisions. It's an excellent starting point.

    1. Yet Another Anonymous coward Silver badge

      Re: Okta users don't care either

      The plans to Death Star being on github aren't important, this battle station is the ultimate power in the universe

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like