Hacker News new | ask | show | jobs
by stephenr 3415 days ago
You pushed your secret key, and they recognised it?

Does that imply that they are not hashing secret keys, or did you also push the account key (allowing for a single auth test on their side)?
2 comments
pyre 3415 days ago
It's also possible that they just scrape the Github firehose for common patterns like

  AWS_SECRET_KEY="FOOBAR"
and send a message to the committer's email (since you presumably used a correct/valid email in the git commit).
link
hughes 3415 days ago
The secret key can probably be used to generate the account key.
link