Canonical's GitHub account hacked and 11 new repositories are created

Just a few days ago, the GitHub account owned by Canonical (Ubuntu's company) was hacked and was used to create 11 new GitHub repositories with that hacked account.

Once this came into the light, the company kick-started an investigation to determine how far the breach has affected them. The compromised account was also removed by the company from the GitHub, and the Launchpad infrastructure, from where the Ubuntu distribution is built and maintained from GitHub, was also disconnected.

The organization is also conducting an audit and is implementing the necessary remediations. However, Canonical confirmed that there has been no evidence that any source code or sensitive information was impacted. The Ubuntu Security team stated the following about the hacking incident:

“We can confirm that on 2019-07-06 there was a Canonical owned account on GitHub whose credentials were compromised and used to create repositories and issues among other activities,”

Interestingly, two days before the incident, the cyber-security firm Bad Packets detected internet-wide scans for Git configuration files.

In one of the tweets from the following information was shared.

“Incoming scans detected from 185.234.219.239 checking for exposed dotfiles (configuration files):

/.env

/.ftpconfig

/.remote-sync.json

/.vscode/ftp-sync.json

/.vscode/sftp.json

/deployment-config.json

/ftpsync.settings

/sftp-config.json #threatintel,"