Hacker News new | ask | show | jobs
by ncantelmo 3307 days ago
There's also a high chance that document was shared on Slack. In which case, they were one Slack breach away from the entire world having write access to their prod database.

It's depressing how many companies blindly throw unencrypted credentials around like this.
4 comments
kefka 3307 days ago
Tell me about it. Fortunately where I work is sane and reasonable about it.

We have a password sheet. You have to be on the VPN(login/password). Then you can log in. Login/Password(diff from above)/2nd password+OTP. Then a password sheet password.

I'm still rooting out passwords from our repo with goobers putting creds in sourcecode (yeah, not config files....grrrrr). But I attack them as I find them. Ive only found 1 root password for a DB in there... and thankfully changed!

link
posixplz 3307 days ago
A plaintext password sheet? Despite the layers of network access control, this is a horribly bad practice in our modern age. Vault is free and encrypted secret storage systems are hardly a new concept.
link
kefka 3307 days ago
Not at all. The password sheet password is actually a GPG key. Everything stored encrypted.

We suffer from NIH greatly. We end rolling our own stuff because either we don't trust 3rd party stuff, or it doesn't work in our infrastructure. In this case, multiple access locks with GPG is sufficient.

link
posixplz 3298 days ago
A response 8 days later is better than no response at all, right? :)

I agree that a multi-recipient GPG protected file is sufficient for a small org. In fact, that's how I used to do it Circa 2011. We found it worked quite well - we committed the GPG protected files to a version control system (git) and used githooks to make sure that only encrypted files were permitted, preventing users from intentionally/accidentally defeating gitignore.

link
tayo42 3307 days ago
Slack getting hacked would definitely be a mess. There's going to be so many cloud credentials, passwords, keys, customer info...
link
RugnirViking 3299 days ago
The exact same slack that he remained in for several hours after being fired. Even worse way to provoke a response from a disgruntled employee...
link
CodeWriter23 3307 days ago
The document is probably in Google Docs too.
link