[libeclipse]

Whoa, that's actually amazing. Wonder how they got alerted and reacted so fast.

[dsp1234]

Github provides a public firehose for events[0]. So it's possible to hook a process to read from the firehose, and look for commit events and then match file contents against the list of API keys.

[0] - https://developer.github.com/v3/activity/events/

[i336_]

Yikes. So this is where the evil crawlers are sitting.

Reminds me of the water pipeline in Finding Nemo with the crabs above it.

[ellisv]

Alexa probably overhead the developer swearing…

[ecnahc515]

It's cheaper for them to give a few engineers a web crawler project that's this specific than it is to refund people. Im just surprised they don't have an "auto revoke access key if found on interwebz" setting in the AWS account settings actually.

[ygjb-dupe]

It's not surprising, consider the failure modes:

- a key is made public, and we have to call a user or refund them (for retention purposes)

- a key is made public, and we revoked the key, potentially breaking the customers builds/deploys and potentially knocking a customers stuff out (if, for example, a key is disabled during a push to production).

[jsjohnst]

I heard AWS has a crawler for that specifically. Not sure if it's true, but makes sense based on the anecdata.