Source code leak took place due to a misconfiguration error.
A misconfiguration in the infrastructure of repositories resulted in leaking the source code of dozens of mainstream, high-profile organizations from diverse sectors from tech, food, retail, finance, manufacturing, and e-commerce.
A reverse engineer and developer, Tillie Kottmann, collected the leaks, dubbed Exconfidential, from different sources while searching for misconfigured DevOps tools that provide access to source code, and stored them on a repository on GitLab.
The list of affected companies is quite long, as according to Bank Security, around 50 organizations’ source code has become public. This includes bigwigs like:
Huawei owned Hisilicon
Johnsons Controls, to name a few.
List of affected companies and source code details shared by the researcher on their Twitter account:
Kottmann revealed that some of the folders are empty while some contain credentials such as code from fin-tech firms such as Fiserv, Mercury Trade Finance solutions, and Buczy Payments, access management, and identity developers like Pirean Access: one, and banks including Italy’s Banca Nazionale del Lavoro, etc.
Furthermore, hardcoded credentials are available in the easy-to-access code repositories. Kottmann also claims that they tried to remove the data to prevent a larger breach.
According to BleepingComputer, the developer hasn’t notified the affected companies prior to releasing the details. However, Kottmann stated that if a company requests for removal of their source code from the repository, it will be immediately removed.