Hacker News new | ask | show | jobs
by ciguy 479 days ago
OP seems to think that using a .env file means your key can't be leaked because it's not in a git repo. I would bet good money one of their devs accidentally committed it, or that they put it on a server somewhere and it's being served up as a regular file.
2 comments
eightysixfour 479 days ago
It happened again after rolling it, so a dev’s machine is compromised, the prod infra is, or they’re straight serving the key somewhere.
link
ciguy 479 days ago
Exactly. If I had to bet I would guess their server is just straight up serving the file. I've seen that way too many times.
link
DannyBee 479 days ago
Agreed. It doesn't even have to be direct. Maybe somebody committed their shell history, or something.
link