Uber drops GitHub through code-sharing platform's part in massive data breach

Uber skipped multifactor authentication

Uber has stopped using GitHub for anything expect open source code, after hackers in the 2016 data breach (announced last year) used credentials that they found on the platform to gain access to an AWS S3 bucket.

The hackers - one in Canada and the other in Florida - stole more than 57 million customer records in 2016. Uber paid them $100,000 through its bug bounty programme to keep the information quiet.

John Flynn, Uber's CISO, spoke about the bug bounty programme at a hearing before the US Senate Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security this week.

Flynn said that the hackers "found the credential [to access the S3 bucket] contained within code on a private repository for Uber engineers on GitHub". He added that Uber's Github was not protected with multifactor authentication ("We immediately took steps to implement multifactor authentication for GitHub"), so presumably the account was cracked through a bruteforce attack or similar.

"Subsequently, we did a thorough review of our GitHub repositories," Flynn continued. "My technical team initiated the process of removing additional code from GitHub that could be considered sensitive, and confirming rotation of keys. We ceased using GitHub except for items like open source code. The incident response team also worked to identify the type of data downloaded to assess the risk."

Uber was already using MFA for individual accounts on AWS, and expanded that to AWS service accounts post-breach. It has also enhanced its Identity & Access management permissions.

Flynn admitted that the bug bounty programme was "not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," but spent the majority of his testimony defending the use of such incentives. He said that Uber's programme "assisted in the effort to gain attribution and, ultimately, assurances that our users' data were secure."

GitHub told The Register, ‘This was not the result of a failure of GitHub's security. We cannot provide further comment on individual accounts due to privacy concerns.

‘Our recommendation is to never store access tokens, passwords, or other authentication or encryption keys in the code. If the developer must include them in the code, we recommend they implement additional operational safeguards to prevent unauthorised access or misuse.'

Thankfully, Uber has followed that advice - but it is something of a case of bolting the stable door after the horse has bolted.