[necovek]

But that sounds like a case where the attacker would have gained access to most relevant stuff anyway, and the difference in effect was mostly to the tune of $35k in costs (instead of spending resources on companies' own hardware)? While that's a big chunk for a start-up, it's not even one year of a developer salary.

While I am of the similar old school like you (I run my own mail server, web server, nextcloud, used to do ejabberd too...), I think it's more cost effective for smaller companies not to do it themselves, as long as they keep their own backups.

The difference is that when they self-host, they are more vulnerable to targeted attack (on average, for similar dollar investment), but if they host with SaaS providers, it's opportunistic attacks they should worry about more.

[nasalgoat]

It was more that their entire code repo was downloaded, which included a number of third party access codes, nevermind the intellectual property involved.

If that stuff is only hosted internally behind a firewall, with a VPN requirement to access, it would have been fine. Instead it was all on Github.

[necovek]

Right, but if they hacked a particular remote employee who had access to it, they could have gotten access to the same stuff — their attack vectors might have been more limited, that is true.