undefined | Better HN

0 pointsnightpool3y ago0 comments

> is to some extent back on github

How is it on Github? We know that it was a third-party integration that compromised. Almost every single third-party integration needs the ability to read source code. The fault here lies on Heroku for storing secrets that allowed access to their main customer database in a source code repo that was accessible to a third-party provider, as well as with the third party provider (whatever it was) for allowing their implementation to be compromised. At that point it's game over—your main database should never be accessible from your source code alone.

It is strange to me that they're certain it was accessed through a third-party Github integration, but they don't know which integration it was specifically. That feels like a failure of logging on Github's part, without any additional information.

0 comments

jrochkind13y ago

> How is it on Github?…

The whole sentence I wrote was: "But figuring out how they got access to a private github repo is to some extent back on github, at least potentially..."

> …That feels like a failure of logging on Github's part, without any additional information.

There you go, you answered your own question too.

j / k navigate · click thread line to collapse