A hacker gained access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet.
The credentials were found in a public GitHub repository owned by a Comodo software developer. With the email address and password in hand, the hacker was able to log into the company’s Microsoft-hosted cloud services. The account was not protected with two-factor authentication.
Netherlands-based security researcher who found the credentials, contacted Comodo vice president Rajaswi Das by WhatsApp to secure the account. The password was revoked the following day.
TechCrunch that the account allowed him to access internal Comodo files and documents, including sales documents and spreadsheets in the company’s OneDrive — and the company’s organization graph on SharePoint, allowing him to see the team’s biographies, contact information (including phone numbers and email addresses), photos, customer documents, calendars and more.
“Seeing as they’re a security company and give out SSL certificates, you’d think that the security of their own environment would come first above all else,” security researcher said. (Comodo has not been an SSL certificate issuer for several years.)
We reached out to Comodo for comment prior to publication. A spokesperson said the account was an “automated account used for marketing and transactional purposes,” adding: “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.”
It’s the latest example of exposed corporate passwords found in public GitHub repositories, where developers store code online. All too often developers upload files inadvertently containing private credentials used for internal-only testing. Researchers regularly scan repositories for passwords and report them to the companies, often in exchange for bug bounties.
Earlier researchers found a similarly exposed set of internal Asus passwords on an employee’s GitHub public account. Uber was also breached in 2016 after hackers found internal credentials on GitHub.