[siwatanejo]

It's normal that a dev has *access* to all the code.

But did he clone all the repos into his machine? I doubt it. So, the hacker extracted all the 3800 repos using the employee's machine as a gateway? I doubt it as well, I'm sure they would have detected this huge amount of data much earlier than transferring all of it?

> The real question is why github has 3800 internal repos.

I guess they mean customer's private repos?

[selcuka]

> I guess they mean customer's private repos?

I don't think so. It is even worse if a random developer has access to customers' private repos.

[siwatanejo]

Good point. Then why in the world would a company have 3,500 repos? Do they create a repo for each employee?

[timmb]

They’ve been developing git and GitHub for over a decade. It really isn’t surprising they have made thousands of internally available repos. They probably have hundreds just for running automated tests alone.

[kube-system]

I am sure many of their employees create repos. Is that strange?

It doesn’t mean they are all masterpieces of elaborate production code.

[Arbortheus]

That is not unheard of at a large software company.

[trick-or-treat]

I'm personally up to 400 or so

[stavros]

All the attackers need to do is steal an SSH key and they'd be able to clone everything, no?

[fernie]

Nah GitHub/MS doesn't allow SSH keys for their internal stuff. You have to use git-credential-manager, which enforces MFA

[LtWorf]

Depends how it's set up. Many companies add an IP address check so if you don't come via their VPN (or are not in the office) the connection will be rejected before any auth is asked.

So you'd need to authenticate for the VPN, which often has 2nd factor.

But I have no idea of how they are set up.