[bifrost]

If you click through to the GH Issues I linked to there are some pretty good data points as to what happened. I didn't feel the need to copypasta.

But yes, publicly exposed jenkins and repos lead to the compromise, not an uncommon story unfortunately.

Perimeter - I didn't see much evidence of one existing and I didn't go probing their networks to find out.

Security tropes are real for a reason, you don't have to believe me though.

Private repos in GitHub are still publicly hosted and are orders of magnitude easier to get into than having an in perimeter repo. They've leaked before and they'll keep on leaking. GitHub even made it harder for people to fork private repos to their own public accounts but it still happens.

[pm90]

> They've leaked before and they'll keep on leaking. GitHub even made it harder for people to fork private repos to their own public accounts but it still happens

Can you provide some actual instances of this happening? Genuinely curious, as my org is currently migrating from enterprise to cloud.

[bifrost]

I've mostly seen this reported in forums and during discussion, if you Google around you'll find some pretty useful hits.

Here's a good one from reddit: https://www.reddit.com/r/github/comments/9odnvw/someone_fork...

Its also discussed reasonably well in the infosec community. Basically GitHub is a great place to find other people's passwords and API keys.

[baroffoos]

Thats unrelated to github though. It sounds like the person did a git clone and then created a new repo and pushed it. You could do that with a self hosted git repo as well. To stop that you would have to have your git server block logins from non company machines and have some serious logging on all company machines to stop anyone moving it off via usb

[bifrost]

baroffoos: Thats pretty close to what I'm suggesting, no public repo access. It works.

[bobwaycott]

> But yes, publicly exposed jenkins and repos lead to the compromise …

You mean the past-tense verb led, not its metallic homonym lead. :)