Hacker News new | ask | show | jobs
by flower-giraffe 1010 days ago
The wording is concerning, the “including” suggests the breach could be wider.

I’d like to see a more explicit statement that lets us know things like GitHub credentials for source code integration have not been compromised.

“our initial forensic research indicates the unauthorized party accessed data about your account, including:

Rollbar usernames and user email addresses Account names Project and environment names Project access tokens Project service link configuration”
1 comments
brianr 1010 days ago
Hi, Brian from Rollbar here. We believe that the items listed comprise the entirety of the scope. We will be able to state definitively once forensic analysis is complete.

GitHub tokens are not exposed. More specifically: customer credentials stored for third party integrations (i.e. GitHub, Slack, JIRA) are stored encrypted using a key that is not stored in the database, so those are not exposed.

link
flower-giraffe 1010 days ago
Thank you for the clarification.

I think you are saying the attacker did or could have aquired the encrypted customer credentials but not the decryption key.

If that is the case could provide some more detail about the type of encryption to reassure us that it can not be brute forced.

link