Why is there customer data in code repositories?
> The customer data had been “inadvertently copied to the repositories for debugging purposes,” according to an email obtained by The Verge.
What on earth? How is this possible?
> we audited the contents of the repositories, and we found that in isolated instances, certain customer information had been inadvertently copied to the repositories for debugging purposes.
"instances". Plural.
I never used it because I could never figure out the pricing. Fortuitous.
Zapier’s breach shows that even big SaaS companies can accidentally expose customer data in code repos. If they got hit due to a 2FA misconfiguration, how many other companies are at similar risk without knowing?
This is the most mealy mouthed disclosure ever. Shame on them.
How can an employees 2FA misconfiguration lead to someone else accessing these repos? 2FA setups are supposed to prevent this sort of thing. If I had to guess it was someone on the “devops/sre/infra” team that usually has god mode access that were setting up some integration and disabled 2FA for testing or something for a test account … but it would have had to be disabled for a while for the attacker to get access.
What kind of customer data were they storing in their repository? Were they storing raw webhook data/API responses in github gists or something (wouldn’t put it past them).
As a sidenote, Ive worked with folks from zapier and Im not impressed with their engineering. Their integrations are super fucking brittle, its like it was designed by toddlers. I would not depend on them for any kind of business critical functionality.