New ask Hacker News story: GitHub leaked names of private repositories
GitHub leaked names of private repositories
6 by lukashed | 0 comments on Hacker News.
I just received the following email: Hi [username], We're writing to let you know that between January 2021 and September 2021, the following information about your repository was inadvertently made publicly viewable after being sent to a third-party vendor as part of metadata analysis of GitHub Pages sites; the name of the private repository and the GitHub username with ownership of the repository. No repository content or other private data was exposed as part of this incident. User privacy and security are essential for maintaining trust, and we want to remain as transparent as possible about events like these. GitHub itself did not experience a compromise or data breach as a result of this event, nor did unauthorized users gain access to repositories. Read on for more information. * What happened? * GitHub learned from an internal discovery by a GitHub employee, that GitHub Pages sites published from private repositories on GitHub were being sent to urlscan.io for metadata analysis as part of an automated process. This internal process was implemented before the private GitHub Pages feature was released and provides metadata that is used during human review of potentially malicious or abusive GitHub Pages sites. To view the name of the private repository on urlscan.io, you would need to have been looking at the front page of urlscan.io within approximately 30 seconds of the analysis being performed or have specifically searched using a query that would return the analysis in the search results. * What information was involved? * The following URLs, but no content, were made publicly viewable: GitHub Pages URLs [link containing username and name of private GH repository] * What GitHub is doing * GitHub immediately began work on fixing the automated process that sends GitHub Pages sites for metadata analysis so that only public GitHub Pages sites are sent for analysis. Future analysis of public GitHub Pages sites will be unlisted from public view as an additional protection. We also worked with the third-party vendor, urlscan.io, to delete all existing public records of private GitHub Pages sites generated from this situation. * What you can do * No action is required on your end; we have updated our systems and worked with our third-party vendor to ensure this data is no longer publicly viewable. Please feel free to reach out to us with any additional questions or concerns through the following contact form:
6 by lukashed | 0 comments on Hacker News.
I just received the following email: Hi [username], We're writing to let you know that between January 2021 and September 2021, the following information about your repository was inadvertently made publicly viewable after being sent to a third-party vendor as part of metadata analysis of GitHub Pages sites; the name of the private repository and the GitHub username with ownership of the repository. No repository content or other private data was exposed as part of this incident. User privacy and security are essential for maintaining trust, and we want to remain as transparent as possible about events like these. GitHub itself did not experience a compromise or data breach as a result of this event, nor did unauthorized users gain access to repositories. Read on for more information. * What happened? * GitHub learned from an internal discovery by a GitHub employee, that GitHub Pages sites published from private repositories on GitHub were being sent to urlscan.io for metadata analysis as part of an automated process. This internal process was implemented before the private GitHub Pages feature was released and provides metadata that is used during human review of potentially malicious or abusive GitHub Pages sites. To view the name of the private repository on urlscan.io, you would need to have been looking at the front page of urlscan.io within approximately 30 seconds of the analysis being performed or have specifically searched using a query that would return the analysis in the search results. * What information was involved? * The following URLs, but no content, were made publicly viewable: GitHub Pages URLs [link containing username and name of private GH repository] * What GitHub is doing * GitHub immediately began work on fixing the automated process that sends GitHub Pages sites for metadata analysis so that only public GitHub Pages sites are sent for analysis. Future analysis of public GitHub Pages sites will be unlisted from public view as an additional protection. We also worked with the third-party vendor, urlscan.io, to delete all existing public records of private GitHub Pages sites generated from this situation. * What you can do * No action is required on your end; we have updated our systems and worked with our third-party vendor to ensure this data is no longer publicly viewable. Please feel free to reach out to us with any additional questions or concerns through the following contact form:
Comments
Post a Comment