Companies like Microsoft, Lenovo, GE, Nintendo and many others have created publicly visible repositories on places like Github. Some of these buckets are empty and some may legitimately be intended to be public.
But those that contain access credentials – userids, passwords and API keys – likely are NOT intended to be public.
Some of the code from, for example, game developers, may be valuable intellectual property.
You can kind of think of this as a variant of the Amazon S3 buckets which are discovered all the time without passwords.
The project, called “Confidential & Proprietary” takes that code and posts it on their web site.
Sometimes they tell companies about it in advance. Not always.
If they get a takedown notice, they remove it, but likely any damage is already done.
Bottom line, companies need to create a secure software development culture and protecting their code and credentials is part of that.
Does your company have a secure software development lifecycle program? Do you need help creating one? Contact us. Credit: Bleeping Computer