[philsnow]

You couldn't enforce 2FA on GHE for the longest time. GHE version 2.8.0 lists [0] "Enforce two-factor authentication" as a feature. 2.8.0 was released November 2016. According to the article,

> Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said.

I don't know if they were using GHE. If they were, at the time it did not come with a good way for them to enforce 2FA for users.

[0] https://enterprise.github.com/releases/2.8.0

[jaryd]

Yeah this was such a PITA several years ago... To solve the problem we ended up building a small proxy in Perl for the express purpose of adding 2FA to Github Enterprise.

[chimeracoder]

> I don't know if they were using GHE. If they were, at the time it did not come with a good way for them to enforce 2FA for users.

Well, sort of - at the application level, that's true, but GHE is typically run behind a VPN. Certainly that should be the case for a company the size of Uber.

Even before GHE added 2FA, it shouldn't have been possible for a leaked set of login credentials to be used to access GHE, without some other sort of compromise (VPN cert, physical compromise of hardware, etc.).

[uxp]

At my company (mostly a Windows and Microsoft shop), my domain credentials are used to log into the VPN, and TFS, and Octopus. Compromising just that one set of credentials could effectively "own" our company. And I'm just a senior-ish developer.

Lateral movement by an attacker is a real thing. And while credential reuse is something most security focused web companies are trying to mitigate, a push for "sso"-like account management is seemingly undoing most of that effort inside the network if not done properly (specifically, auditing and monitoring of behavior).

[deathanatos]

> my domain credentials are used to log into the VPN, and TFS, and Octopus. Compromising just that one set of credentials could effectively "own" our company.

This is why 2FA is important! I worked for a company that had a very similar setup: I essentially had a single "LDAP" password. But: everything web-browser went through a single sign-on site, and it required 2FA (and so, you were never entering your password into even random internal applications: there was exactly one page where you should log in). Terminal stuff had a similar flow that also required 2FA (e.g., for SSH). As a user, the experience was not painful at all.

It does seem like, however, from an operations standpoint, getting such a setup in the first place is not trivial.

[kelnos]

If they are/were using GHE, I would expect (hope?) that they require some sort of VPN to get access to it, so my guess would be this was stored on github.com.

[bastawhiz]

> I don't know if they were using GHE.

They don't use GHE, they use Phabricator.