Uber has said that it uses GitHub only for open-source projects, a few months after admitting a serious data breach that occurred because the ride-hailing service failed to implement multifactor authentication on its GitHub accounts.
Uber had paid £75,000 to hackers to keep the 2016 data breach hidden from public view until new CEO Khosrowshahi decided to come clean and reveal the incident to the public.
In November last year, Uber confirmed that in October 2016, a couple of malicious individuals accessed login credentials for one of Uber’s Amazon Web Services servers from coding site GitHub and stole personal details of registered 57 million Uber drivers and riders, including as many as 2.7 million drivers and riders from the UK.
The admission came after controversial CEO Travis Kalanick was replaced by Dara Khosrowshahi. Soon after taking over, Khosrowshahi fired security chief Joe Sullivan and chief legal officer Salle Yoo for their actions after the breach was discovered.
Following Uber’s admission, security researchers questioned why Uber did not address how its engineers would store or share passwords for GitHub accounts in the future.
‘All it took was one developer making a mistake by checking a password into GitHub. Why does that password unlock so many sensitive records? These kinds of slip-ups are frequently surfaced during internal pen tests or third-party security audits,’ said Ken Spinner, VP of Field Engineering at Varonis.
‘This point of failure raises the question: are Uber employees required to use 2FA for key applications like GitHub? Many attacks nowadays originate from compromised credentials; businesses need to ensure that hacking one employee’s account doesn’t unlock such a wide array of sensitive data,’ he added.
It seems that Uber has finally decided to address such concerns to prevent future cyber security incidents. According to a report published in The Register, Uber has decided not to use GitHub for any purpose other than open-source projects.
The report adds that John Flynn, Uber’s chief information security officer, told the US Senate Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security that following the breach, Uber immediately took steps to ‘implement multifactor authentication for GitHub and rotated the AWS credential used by the intruder’.
‘Despite the complexity of the issue and the limited information with which we started, we were able to lock down the point of entry within 24 hours. We ceased using GitHub except for items like open source code,” Flynn said.
When contacted by The Register, GitHub said that while the data breach was not the result of a failure of GitHub’s security, it recommends users not to store access tokens, passwords, or other authentication or encryption keys in the code. ‘If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorized access or misuse,’ it added.