Home Uncategorized Canonical’s GitHub account hacked

Canonical’s GitHub account hacked


Canonical, the maker of the Ubuntu operating system, recently revealed that it has suffered a hacker attack. In an official statement, the company stated that hackers have compromised its GitHub account, a code-sharing site, on July 6, 2019, and created 11 new repositories. It’s believed that the attackers apparently didn’t access any sensitive information or manipulated source codes, ZDNet reported.

“We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities. Canonical has removed the compromised account from the Canonical organization in GitHub and is still investigating the extent of the breach, but there is no indication at this point that any source code or PII was affected,” the Ubuntu said in a Twitter post.

The security officials at Ubuntu stated they’ll publish an update to its customers once it finishes the investigation into the security incident. “Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected,” it added.

Github faced a similar issue when a Chinese drone maker Da-Jiang Innovations (DJI) landed itself into a cybersecurity row over a bug bounty issue. On November 21, 2017, Kevin Finisterre, an independent security researcher, claimed that he found a private key publicly posted on code sharing site Github, after which he was able to access confidential and sensitive customer information and saw “unencrypted flight logs, passports, drivers’ licenses and identification cards.”

After discovering the flaw in the security system, he approached the firm that in-turn initially offered a bug bounty reward of up to $30,000 (£23,000) and offered to hire him as a consultant. Finisterre also claimed that the company tried to make him sign a non-disclosure legal contract, that he refused to sign. The Next Web reported that DJI threatened to charge him with the Computer Fraud and Abuse Act (CFAA).