Adafruit has revealed that a data breach happened due to a publicly accessible GitHub repository. The business believes this may have permitted “unauthorized access” to information about specific users on or before 2019. Adafruit, based in New York City, has been making open-source hardware components since 2005. Electronic items, tools, and accessories are designed, manufactured, and sold by the firm.
Adafruit revealed on Friday, March 4th, that a publicly available GitHub repository contains a data set with information on several user accounts. This data included names, email addresses, billing/shipping addresses, order details, and order placement status through a payment processor or PayPal. The company disclosed that the data set did not include any user passwords or financial information like credit card information. Spammers and phishing actors might exploit the vulnerability of real user data, including order details, to target Adafruit consumers.
Surprisingly, the data breach came from a former employee’s GitHub project, not Adafruit’s. It indicates that a former employee was using real customer information for training and data analytic activities in their GitHub repository.
“Within 15 minutes of being notified about the inadvertent disclosure, Adafruit worked with the former employee, deleted the relevant GitHub repository and the Adafruit team began the forensic process to determine what and if there was any access and what type of data was involved,” explained the company.
Adafruit claims it is revealing the event “for transparency and accountability” since it is unaware of the leaked information being exploited by an adversary. However, the business has opted not to notify every user through email. Adafruit clarifies that even though all security disclosures are published on Adafruit’s blog and security sites, there is no action for consumers to take because no passwords or credit card information was revealed in the data analysis collection.
The existence of genuine customer information in a former team member’s GitHub repo, rather than mechanically created “fake” staging data, is a significant source of anxiety among consumers. It’s important to note that storing sensitive customer information in GitHub projects, especially private ones, is a dangerous move.
Users should be on the lookout for phishing attempts or correspondence purporting to be from Adafruit employees. According to the company, false “password reset” warnings should be avoided at all costs since they may induce users to reveal their credentials. Adafruit appeals inquiries about strange emails or illegal access attempts by threat actors should be sent to security@adafruit.com.
