Skip to content
Naked Security Naked Security

Adafruit suffers GitHub data breach – don’t let this happen to you

Training data stashed in GitHub by mistake... unfortunately, it was *real* data

Popular open-source computer hardware company Adafruit Industries accidentally exposed customer data…

…via the GitHub account of a former employee.

As you’ve probably figured out already, Adafruit is named after after Ada Lovelace, a nineteenth-century British intellectual who was a computer programmer long before any programmable computers existed.

As mysterious as that might sound, the story is both uplifting and disappointing in equal measure. In the 1830s, British inventor Charles Babbage designed a general-purpose computer that he dubbed the Difference Engine. While he was busy trying to construct the device, Ada started wrestling with how it might be used. She outlined numerous programming principles that today we take for granted, such as loops and subroutines for commonly repeated computations, essentially coding various algorithms that would run on it. She even began pondering the issues of artificial intelligence and whether computing machines might ever truly be considered capable of independent thought and creativity. (Her considered conclusion, dubbed Lady Lovelace’s Objection by twentieth-century computer scientist Alan Turing, was: “No.”)
Unfortunately, Babbage’s computer – which was, of nineteenth century necessity, entirely mechanical – turned out to be unbuildable. The lathes and milling machines of the day just weren’t up to the precision required to allow its many cogs and levers to operate reliably in unison. The cumulative effects of backlash in the mechanism meant that it never worked, so the Victorian age never acquired giant steampunk computers, and Ada’s code was never executed on an actual device.

The company sells a wide range of miniature open-source hardware boards and kits for hobbyists and professionals alike. (Think Raspberry Pi and Arduino, along with loads more custom hardware that’s even smaller and even funkier.)

What happened?

According to Adafruit’s public report:

The inadvertent disclosure involved an auditing data set used for employee training becoming public, on a GitHub repository associated with an inactive former employee’s account who was learning data analysis. The repository contained some names, email addresses, shipping/billing addresses and/or whether orders were placed successfully via credit card processor and/or PayPal, as well as details for some orders. There were no user passwords or financial information such as credit cards in the data analysis set.

Reading between the lines of the company’s notification, it sounds as though the leaked data had been sitting around in public for at least two years, given that the database entries exposed don’t go past 2019.

(Unfortunately, the report doesn’t say who reported the leaked data, when it was discovered, how obviously exposed it was, when the ex-employee concerned left the company, when the data was extracted from the company’s live data, or how many customers or records were involved.)

Adafruit claims that it got onto the job of removing the offending information within 15 minutes of hearing about the problem, contacting the ex-employee to get the data deleted, and kicking off an analysis to try to figure out who else might have seen it, and what they might have done with it.

From the report, it sounds as though the results of the forensic analysis were inconclusive – the company wasn’t able to specify with certainty whether the data was accessed or not, but it did comment: “[W]e are unaware of any actual misuse of the information”.

Nevertheless, Adafruit published a reminder that breaches of this sort, once reported, do provide a powerful pretext for cybercriminals.

The company is warning customers to watch out for apparently believable phishing campaigns that “warn” potential “victims” to take corrective action such as resetting their passwords via a handily-supplied but fake website, and for to bogus callers claiming to be offering “official support” and requesting personal information “for confirmation”:

As a reminder, for your security, we will never send you a link to reset your password as part of a security alert, our customer support team will never contact you asking for your password. If you receive an email of this nature, or otherwise suspect that someone is attempting to gain access to your account or solicit your personal information, or have any other questions about this process, please contact us at security@adafruit.com.

If phishing criminals do have access to actual names, addresses and order details from a company database breach, then their fraudulent emails can be made even more believable by including genuine historical data as believable but bogus “proof” that their scam warnings are real.

What to do?

  • If you’re a customer and you bought any Adafruit products before 2020. Take Adafruit’s own advice and be aware of possible phishing attempts that try to scare you with “urgent actions” allegedly necessitated by this breach.
  • If you’ve had a breach at your own company. By all means, use Adafruit’s official report as a partial example of how to respond, but try to include in your notification some of the content that Adafruit omitted. Firstly, offer a genuine apology – after all, if you aren’t sorry, why should customers think you care more about their security now than you did before? Secondly, if you have conducted or are still in the process of conducting a forensic analysis, as Adafruit claims, be clear what you have already found (including admitting what you don’t know and are unlikely ever to discover), or provide a date by which you expect to follow up with further details.
  • If you need test or training data to use outside your live systems. Don’t simply skim off real data and distribute it outside your secure servers for those purposes. Numerous tools exist both for redacting genuine data so that it reflects reality without revealing personal details, and for generating realistic but artificial data that is suitable for training.
  • If you’re entrusted with access to genuine company data. Don’t copy it or upload it anywhere other than official company locations. Especially don’t upload it to personal cloud accounts, such as GitHub storage – even if your motivations are honest and your intentions impeccable – where the company can’t fulfil its own data protection obligations, and can’t reliably revoke your access to it if you leave.

3 Comments

I don’t know, I get really irritated when corporates offers a “sincere apology” for things like this, because as far as I’m concerned, an apology based on a mistake of an employee that has since left is insincere by definition. They can shove their apology and rather detail what procedures they will put in place (and enforce) to try prevent such problems in future.

There’s also of course the problem that apologies are legally a bad idea. If someone sues you, it’s a type of admission of guilt that can get you into even deeper trouble.

When you write that you would be annoyed at a “sincere apology”, I assume the quotes are meant to imply that it *wouldn’t* be a sincere apology?

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?