Adafruit has disclosed a data leak that occurred due to a publicly-viewable GitHub repository.
The company suspects this could have allowed “unauthorized access” to information about certain users on or before 2019.
Based in New York City, Adafruit is a producer of open-source hardware components since 2005. The company designs, manufactures, and sells electronics products, tools, and accessories.
Ex-employee’s GitHub repo had real customer data
On Friday, March 4th, Adafruit announced that a publicly-accessible GitHub repository contained a data set comprising information on some user accounts. This information included:
- email addresses
- shipping/billing addresses
- order details
- order placement status via payment processor or PayPal
The data set, according to Adafruit, did not contain any user passwords or financial information such as credit cards. However, the exposure of real user data, including order details, could be used by spammers and phishing actors to target Adafruit’s customers.
Interestingly, the data leak did not occur from Adafruit’s GitHub repository but that of a former employee. It appears that a former employee was using real customer information for training and data analysis operations in their GitHub repo.
“Within 15 minutes of being notified about the inadvertent disclosure, Adafruit worked with the former employee, deleted the relevant GitHub repository and the Adafruit team began the forensic process to determine what and if there was any access and what type of data was involved,” explained the company.
Users demand proper notifications
At this time, Adafruit is not aware of the exposed information being misused by an adversary and claims it’s disclosing the incident “for transparency and accountability.”
The company has, however, decided not to email every user about the incident. Update: After this report’s publication, Adafruit has revised its position and now states it will indeed email users.
“We appreciate the feedback from the community and our customers, and will be emailing users as part of this disclosure. We apologize for not doing that at the same time as the post/disclosure on Friday, March 4, 2022,” says the company.
Adafruit explains that although all security disclosures are published on the company’s blog and security pages, there is no action for the users to perform as no passwords or payment card information were exposed in the data analysis set.
“We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that we thought appropriately mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case,” Adafruit’s Managing Director Phillip Torrone, and founder Limor “Ladyada” Fried had previously stated.
But, not all Adafruit customers are convinced, with some demanding email notifications be sent out with regards to the incident:
A major concern among users is the presence of real customer information in a former team member’s GitHub repo, as opposed to using automatically-generated “fake” staging data. And, how this information could be misused by phishing actors:
It is worth noting, keeping real customer data in GitHub repositories, even private ones, is a risky decision.
Last year, e-commerce giant Mercari had suffered a data leak via their private GitHub repo exposing over 17,000 customer records including banking information. Rapid7 also suffered a data leak via private GitHub repo impacting a “small subset of customers.”
“We are additionally putting in place more protocols and access controls to avoid any possible future data exposure and limiting access for employee training use,” says Adafruit.
Users should remain vigilant for any phishing scams or communications they may receive impersonating Adafruit staff. The company especially cautions against bogus “password reset” alerts that may entice victims into giving away their passwords.
Adafruit requests that concerns related to any such suspicious emails or unauthorized access attempts by threat actors be directed to firstname.lastname@example.org.
Update March 7th, 11:18 AM ET: After this report’s publication, Adafruit revised its position and states it will email users. Added Adafruit’s new statement.