Comment by ncantelmo
8 years ago
There's also a high chance that document was shared on Slack. In which case, they were one Slack breach away from the entire world having write access to their prod database.
It's depressing how many companies blindly throw unencrypted credentials around like this.
Tell me about it. Fortunately where I work is sane and reasonable about it.
We have a password sheet. You have to be on the VPN(login/password). Then you can log in. Login/Password(diff from above)/2nd password+OTP. Then a password sheet password.
I'm still rooting out passwords from our repo with goobers putting creds in sourcecode (yeah, not config files....grrrrr). But I attack them as I find them. Ive only found 1 root password for a DB in there... and thankfully changed!
A plaintext password sheet? Despite the layers of network access control, this is a horribly bad practice in our modern age. Vault is free and encrypted secret storage systems are hardly a new concept.
Not at all. The password sheet password is actually a GPG key. Everything stored encrypted.
We suffer from NIH greatly. We end rolling our own stuff because either we don't trust 3rd party stuff, or it doesn't work in our infrastructure. In this case, multiple access locks with GPG is sufficient.
1 reply →
Slack getting hacked would definitely be a mess. There's going to be so many cloud credentials, passwords, keys, customer info...
The exact same slack that he remained in for several hours after being fired. Even worse way to provoke a response from a disgruntled employee...
The document is probably in Google Docs too.