API Keys Security Breach

dcmike · June 26, 2024, 2:33am

I am sure someone just going to say don’t read anything on Reddit. However I saw a post on there that an API was exposed and the attached could download all a persons messages? I’m not sure how true any of it is : Reddit - Dive into anything

simon · June 26, 2024, 2:58am

Our official response as posted by @rabbit on Discord:

Today we were made aware of an alleged data breach. Our security team immediately began investigating it. As of right now, we are not aware of any customer data being leaked or any compromise to our systems.

If we learn of any other relevant information, we will provide an update once we have more details.

DaveG · July 4, 2024, 2:25am

Any update here Simon?

simon · July 4, 2024, 6:40am

Hi Dave,

I believe the investigation is close to conclusion and we are aiming to post more details next week. I will check up on this after the US holiday.

IronRinn · July 8, 2024, 1:55pm

Hi tech team,
without any polemical streak or intention to twist the knife in the wound, it would be interesting to know what measures you are taking regarding the very serious safety problems highlighted by the Rabbitude team.

Thanks

mattdomko · July 8, 2024, 2:07pm

Gah - I don’t think we cross-posted this to the forums… sorry
Here’s the page we were using to keep folks up to date during the event.

TLDR version:

Implemented a tool to prevent secrets from being stored in code in the future
Big pile of secret rotations happened
Small pile of secrets we missed the first time were moved OUT of code
Hiring a 3rd party to review/ensure that we didn’t miss anything

IronRinn · July 8, 2024, 2:23pm

Thank you for your quick reply @mattdomko

I was almost certain that you had already done something to address the issue, but searching here in the community I hadn’t found anything about it, so I took the liberty of asking for information about.

I’m sorry you were forced to fire your employee responsible for the code leak, but indeed he could have brought this up internally to resolve the problem.

Anyway, from this specific affair both you as technology company as well we as users have a lot to learn.

mattdomko · July 9, 2024, 3:05pm

Here’s a link to another thread with a TLDR + a link to the response doc

https://forum.rabbitcommunity.tech/t/rabbitude-hardcoded-api-keys-issue/10554/2

simon · July 9, 2024, 6:07pm

I’ve merged the two topics - my apologies for not keeping the thread updated, I’ve been travelling over the holiday weekend! Thanks @mattdomko for stepping in