> Ray didn't work there any more
I should hope not.
Dev's last-day-of-contract code helped to crash app used by 350,000 people
Welcome to Monday morning and therefore to a new instalment of Who, Me? It's The Register's weekly column that shares your tales of workplace errors and absolution. This week, meet a reader we'll Regomize as "Ray" who reached the end of a temporary contract working at what he described as "a major corporation." Ray was ready …
-
-
-
Tuesday 25th November 2025 21:44 GMT PB90210
You bar steward!
That's an earworm that will be stuck in my head for days. I spent ages stuck trying to remember the name in the song (Car-Ray!)
Funny, that didn't happen when it appeared on the Kelly Enema Video Show (damned spell chucker) on one of those obscure freeview channels a while back
-
-
Monday 24th November 2025 07:36 GMT wolfetone
"Fortunately, the major corporation had good backups. And of course Ray didn't work there any more, so this incident was not his problem!"
I'd like to think that Ray got a few quid for giving Major Corp. Inc. a good real world disaster test of their back ups, and any issues found on the back of that were duly fixed.
Have a pint Ray.
-
-
Monday 24th November 2025 08:26 GMT David Harper 1
Reading between the lines ...
It looks like Ray committed a file containing production database login credentials into the company's source code repository. That is shoddy practice on so many levels. If Ray had worked in my organisation, he'd be getting a very severe bollocking from our cybersecurity team *and* our DBA team.
-
Monday 24th November 2025 09:03 GMT Anonymous Coward
Re: Reading between the lines ...
I'm still a bit fuzzy on that next bit of the story - someone finds that conn str in the repository and decides to use it to access access a test database ?
The clue should be in the server name in the string .
And thats not a random user , thats a developer with access to the repo
-
Monday 24th November 2025 10:09 GMT Doctor Syntax
Re: Reading between the lines ...
The clue is probably in "default base configuration" and "anyone else at the major corporation who could use that code" and if that code was now part of the applications used by the 350,000 users not just "a developer with access to the repo". OTOH if that code also allowed a user to issue a "DROP TABLE" there were more bugs than the one Ray fixed.
-
-
Monday 24th November 2025 10:09 GMT richardcox13
Re: Reading between the lines ...
A contractor who did that should be told they're not working for the major company again.
For a junior employee, a formal disciplinary would be appropriate, for anyone at all senior there is no excuse.
This might seem harsh, but remember this would, amongst everything else, be a GDPR violation.
-
Monday 24th November 2025 21:36 GMT John Brown (no body)
Re: Reading between the lines ...
"This might seem harsh, but remember this would, amongst everything else, be a GDPR violation."
"Could" not "should". There's no mention in the article regarding what data was contained in the database nor what country it occurred in and so may not be covered by GDPR anyway.
-
Wednesday 26th November 2025 12:30 GMT KarMann
Re: Reading between the lines ...
"Would" not "should"."This might seem harsh, but remember this would, amongst everything else, be a GDPR violation."
"Could" not "should". There's no mention in the article regarding what data was contained in the database nor what country it occurred in and so may not be covered by GDPR anyway. [emphasis added]
-
-
-
Monday 24th November 2025 12:02 GMT Just Enough
Re: Reading between the lines ...
Totally this. He committed to the repo details that allowed the script to be run by anyone, connecting with developer level permissions to a production database.
The person who ran it was probably either expecting the script to use the connection they already had, or prompt them for authentication. But instead it immediately ran against the database defined in the script. And it would also be storing a password in plain text, for all to see.
This is terrible code handling by Ray, who is far too smug about a situation he caused.
-
Monday 24th November 2025 16:55 GMT tiggity
Re: Reading between the lines ...
.. and with proper practices used that troublesome commit would never have occurred as would first have needed code review* with multiple people (of appropriate roles) approving and then it would finally get committed.
* which *should* catch that sort of thing, though confused why any creds in code base as normally appropriate creds for that pipeline are injected in the test instance and (separate creds / system for this) then the deployment instance & never in the code base.
-
-
-
Monday 24th November 2025 09:22 GMT DS999
As a long time consultant/contractor
I knew well that permanent employees will always blame us for stuff after we're gone. Usually to cover their own ass, but sometimes it is even our fault. I always figured that's part of the reason we're getting paid a lot more than they are, we give them a convenient target to point the finger at. Both because we're no longer there to defend ourselves, and because they don't like higher ups bringing us in to "touch their stuff". Goes with the job, sort of like how a good manager will take the bullets for his employees.
-
-
-
Monday 24th November 2025 21:58 GMT doublelayer
Re: Not Rays mistakte!
At the point you commit your configuration file into the source repository, it's no longer your configuration file. Now it's anyone with code access's configuration file. If there's a credential in there, now it's available to a lot more people which can be a lot more of a problem. You can't easily have a repository with a file that the people able to access it can't read, and trying to hack that, at which you technically can succeed, is evidence that something is going wrong somewhere.
-
Biting the hand that feeds IT
