Hacker News new | ask | show | jobs
by dpb1 2547 days ago
Hijacking top comment...

We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities. Canonical has removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected.

Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.

We plan to post a public update after our investigation, audit and remediations are finished.

Thank you, your trust in Canonical is important to us, which is why we make privacy and security a priority.

-David on behalf of Canonical
4 comments
noobermin 2547 days ago
At least it wasn't as juvenile as the (possible actual) juvenile "hack"[0] of Gentoo's repos that had insertions of "rm -rf /" at the wrong places (where they wouldn't even execute) and insertions of racial slurs into readmes.

[0] https://wiki.gentoo.org/wiki/Project:Infrastructure/Incident...

link
atzpawn 2544 days ago
I just recall the takeover of the Lubuntu project by this kid, kicking out all others and his attempt to threaten others in the project at Christmas time as a ubuntu tm licensee for his website impostering as a Ubuntu trade mark owner. His forged evidence provided worked with Github staff to get others blocked. I don't trust Ubuntu accounts anymore and I don't trust Canonical because they let it happen.
link
gaia 2547 days ago
Thank for the update, David. Would this be an affected store? https://us.images.linuxcontainers.org/images/ubuntu/bionic/a...
link
dpb1 2547 days ago
From our investigation so far, they do not appear to be, No.
link
mdt711 2546 days ago
Launchpad doesn't look very trustworthy either: https://launchpad.net/projects/+all
link
DarkStar851 2546 days ago
Launchpad is public, think GitHub but for packages. The Canonical Launchpad repositories weren't tampered. Presumably a lot fewer people have commit access to LP since it's used for package distribution.
link