Adafruit, a technology company, revealed information that had been exposed on a publically-accessible repository on GitHub.
Officials from the company believe that this breach may have allowed unauthorized access to information about certain individuals prior to 2019.
Founded in 2005, Adafruit is based in New York and manufactures open-source hardware and software parts. The company sells a wide array of electronics products, tools, accessories, and other items that are both innovative and user-friendly. Adafruit discloses data leak from ex-employee’s GitHub repo.
Ex-Employee’s GitHub Repo Had User Data That Was Real
On Friday, March 4th, Adafruit announced that a publicly available GitHub repository contained a data set with information on some user accounts. This information included user-agent and specific-platform data for all site visitors.
- Name
- Email addresses,
- Billing addresses,
- Order details,
- Order placement status, and payment information associated with online merchant accounts, held via PayPal or credit card or entered via a payment processor.
The data set released by the Adafruit company did not expose any user information such as credit and debit card numbers. However, this information could potentially be used by spammers and identity thieves to target Adafruit customers, so the company decided to disable it.
The incident occurred mainly because a former employee indulged a competitor in their GitHub repository. It seems that that person was utilizing the Adafruit information for personal, non-academic elements.
Within 15 minutes of once Adafruit learning that someone within the company had illicitly the information that had been unlawfully disclosed, Adafruit began the procedure to cooperate with the former employee responsible for it, found the right GitHub repository, and commenced the forensic evaluation to pinpoint whether or not and what sort of access had been involved and the impacted information.
Users Demand Proper Notification Signals
Now Adafruit has learned that exposing the confidential information being used against it is no longer in its best interest and is disclosing the incident “for accountability and transparency.”
The company has, however, decided to send every affected user an email. Update: Adafruit has since revised its stance and now states that it will email every user upon publication of this report of Adafruit discloses data leak from ex-employee’s GitHub repo.
“We appreciate the feedback from the community and our customers and will be emailing users as part of this disclosure. We apologize for not doing that at the same time as the post/disclosure on Friday, March 4, 2022,” says the company.
For customers who were not affected by a security disclosure, making changes to their word processing configuration can prevent any disclosures. For example, EFF recommends 256-bit SSL encryption to provide increased protection for financial information. Also, you can use the top 10 VPN providers for amazing security features at an affordable rate.
“We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that we thought appropriately mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case,” Adafruit’s Managing Director Phillip Torrone, and founder Limor “Ladyada” Fried had previously stated.
But, not all Adafruit customers buy in full, with some requesting email messages be sent concerning the incident.
A major concern for users is discovering that real customer information is present in a former team member’s GitHub repository, instead of blindly using automatically generated “fake” staging data. And, how this information can be used by phishing actors.
It’s essential to keep in mind that Adafruit discloses data leak from ex-employee’s GitHub repo, however, that legally binding documentation must be kept in a private repository.
Last year, e-commerce behemoth Mercari experienced a data leak through their private GitHub repo, releasing over 17,000 customer records, including banking information. Rapid7 also experienced a data leak through their private GitHub repo, affecting a “small subset” of customers.
“We are additionally putting in place more protocols and access controls to avoid any possible future data exposure and limiting access for employee training use,” says Adafruit.
Users should keep an eye out for any phishing scams or communications that they may have gotten impersonating Für directly, as these communications may be from hackers. Adafruit expressly cautions against fake “password reset” alerts that scammers may use to tempt their victims into giving up passwords.
Please contact Adafruit at security@adafruit.com with any questions or concerns about Adafruit discloses data leak from ex-employee’s GitHub repo suspicious emails or unauthorized access attempts by threat actors.