Author Topic: Adafruit Data Breach  (Read 7646 times)

0 Members and 1 Guest are viewing this topic.

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 39026
  • Country: au
    • EEVblog
Adafruit Data Breach
« on: March 06, 2022, 05:27:08 am »
Data breach at Adafruit, and they didn't inform anyone.

https://blog.adafruit.com/2022/03/04/a-github-repository-was-public-viewable/

Quote
MARCH 4, 2022 AT 8:00 AM
A GitHub repository was public-viewable
A GitHub repository was public-viewable

We’ve recently become aware of an inadvertent private-to-public viewable GitHub repository that could have enabled unauthorized access to information about certain user accounts on or before 2019.

The inadvertent disclosure involved an auditing data set used for employee training becoming public, on a GitHub repository associated with an inactive former employee’s account who was learning data analysis. The repository contained some names, email addresses, shipping/billing addresses and/or whether orders were placed successfully via credit card processor and/or PayPal, as well as details for some orders. There were no user passwords or financial information such as credit cards in the data analysis set.

Within 15 minutes of being notified about the inadvertent disclosure, Adafruit worked with the former employee, deleted the relevant GitHub repository and the Adafruit team began the forensic process to determine what and if there was any access and what type of data was involved. Although we are unaware of any actual misuse of the information, we are providing this notice to you for transparency and accountability. We are additionally putting in place more protocols and access controls to avoid any possible future data exposure and limiting access for employee training use.

As a reminder, for your security, we will never send you a link to reset your password as part of a security alert, our customer support team will never contact you asking for your password. If you receive an email of this nature, or otherwise suspect that someone is attempting to gain access to your account or solicit your personal information, or have any other questions about this process, please contact us at security@adafruit.com

We would also like to thank all individuals who have and continue to contribute to the security of our users by disclosing vulnerabilities to us responsibly https://www.adafruit.com/reportingsecurityissues

Why aren’t we sending an email to every user?
We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that we thought appropriately mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case. Adafruit publishes all security disclosures on our blog and security pages. There is no action for the users to perform. There were no user passwords or financial information such as credit cards in the data analysis set.

https://www.adafruit.com/reportingsecurityissues
https://www.adafruit.com/responsibledisclosurethanks

Previous disclosure post(s):
https://blog.adafruit.com/2016/11/01/keeping-your-account-protected/

Phillip Torrone, Managing Director & Limor “Ladyada” Fried, founder and the Adafruit team – Adafruit, 150 Varick Street, NY, NY 10013
 

Offline EEVblogTopic starter

  • Administrator
  • *****
  • Posts: 39026
  • Country: au
    • EEVblog
Re: Adafruit Data Breach
« Reply #1 on: March 07, 2022, 06:11:45 am »
FYI, Adafruit are blocking people on Twitter for mentioning this  :palm:
 

Offline Ed.Kloonk

  • Super Contributor
  • ***
  • Posts: 4000
  • Country: au
  • Cat video aficionado
Re: Adafruit Data Breach
« Reply #2 on: March 07, 2022, 06:30:53 am »
FYI, Adafruit are blocking people on Twitter for mentioning this  :palm:

Classic shit show. I resisted commenting, but here we are.
iratus parum formica
 

Offline hans

  • Super Contributor
  • ***
  • Posts: 1698
  • Country: nl
Re: Adafruit Data Breach
« Reply #3 on: March 07, 2022, 08:02:43 am »
Quote
We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that we thought appropriately mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case.

It's always fun to pack up a contradiction with many words, hoping no one will notice.
I'm actually more surprised a company wouldn't write the 2nd sentence the other way around. The last thing someone read will stick better.
 
The following users thanked this post: Ed.Kloonk, amyk

Offline madires

  • Super Contributor
  • ***
  • Posts: 8276
  • Country: de
  • A qualified hobbyist ;)
Re: Adafruit Data Breach
« Reply #4 on: March 07, 2022, 09:32:56 am »
FYI, Adafruit are blocking people on Twitter for mentioning this  :palm:

... because
Quote
we are providing this notice to you for transparency and accountability.

What a bunch of hypocrites! :--
 

Online Ian.M

  • Super Contributor
  • ***
  • Posts: 13216
Re: Adafruit Data Breach
« Reply #5 on: March 07, 2022, 10:39:54 am »
As GitHub doesn't log downloads or repository clone operations, Adafruit have no way of knowing if the data has been grabbed by 'black hats' and if the data is used for identity theft, it is extremely unlikely Adafruit would be aware.

Their notice would be a lot more reassuring if it stated "All affected users have been notified", but it would seem that either they FUBARed the takedown and failed to capture the data set, or their lawyers advised an 'Ostridge' maneuver.
 

Online jpanhalt

  • Super Contributor
  • ***
  • Posts: 4002
  • Country: us
Re: Adafruit Data Breach
« Reply #6 on: March 07, 2022, 11:02:20 am »
The word "inadvertent" is sometimes used as it sounds better than mistake to some people. (Maybe they confuse it with unavoidable?) It was and maybe still is common for physicians to use it in hopes of avoiding a lawsuit.  I found its copious use in that disclosure surprising.

A corporate attorney where I once worked pointed out that in American law, "inadvertent" admits carelessness or inattentiveness, and thus can be better equated to "negligence."  There are whole treatises written about such words.

As others, I did find the "apology," if there was one, insincere.
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: Adafruit Data Breach
« Reply #7 on: March 07, 2022, 12:31:39 pm »
Their first lie was associating themselves with the mythology of Ada Lovelace (whom I presume the name refers to), which consists in approximately 50% of hype made up by Boomer feminists from the United Satan of America. Don't stick your credit card in crazy seems to apply >:D
 

Offline eugene

  • Frequent Contributor
  • **
  • Posts: 497
  • Country: us
Re: Adafruit Data Breach
« Reply #8 on: March 07, 2022, 02:07:39 pm »
Remember when everyone's name, address, and phone number was leaked every year by the phone company?
90% of quoted statistics are fictional
 
The following users thanked this post: boB

Offline madires

  • Super Contributor
  • ***
  • Posts: 8276
  • Country: de
  • A qualified hobbyist ;)
Re: Adafruit Data Breach
« Reply #9 on: March 07, 2022, 03:07:01 pm »
Over here you can tick a box for more than 30 years to be not listed in any phone book. But the point is that the US have laws about notifiying victims of data breaches (https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx).
 

Offline eugene

  • Frequent Contributor
  • **
  • Posts: 497
  • Country: us
Re: Adafruit Data Breach
« Reply #10 on: March 07, 2022, 04:54:19 pm »
There's no question that Adafruit made more than one poor decision. The first and most serious one being that they used real customer data for training purposes.

Me personally, I'm not too worried about the fact that one more bad guy has my phone number and email address. As for the strictly legal issues, meh. There's more to life that's not legislated than is.
90% of quoted statistics are fictional
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15797
  • Country: fr
Re: Adafruit Data Breach
« Reply #11 on: March 07, 2022, 07:24:33 pm »
There's no question that Adafruit made more than one poor decision. The first and most serious one being that they used real customer data for training purposes.

Uh yeah definitely. And the second is storing that on github.
 

Offline floobydust

  • Super Contributor
  • ***
  • Posts: 7678
  • Country: ca
Re: Adafruit Data Breach
« Reply #12 on: March 07, 2022, 08:33:55 pm »
Silence about a data breach- from a company that touts support for trans rights LGBTQ, BLM - movements that are necessarily outspoken, is just gross.
Why they consulted with "our privacy lawyers and legal experts" but said nothing to customers  :palm:

I find Adafruit two-faced, if you suggest/complain/point out design mistakes, website issues, company policies that suck etc. it's usually met with silence or a defensive stance that they can do no wrong. Oh yeah, and just discontinue that dud product that makes us butthurt instead of fixing it with a Rev. 2
It's like they use the Waterfall model to run the place, can't handle any feedback/criticism, even when constructive or 100% warranted.

In electronics you are always getting it wrong.
The best EE's admit their mistakes, eat some humble pie and it's no big deal, learn and move on.
The worst EE's have their ego all in it and blame other things for the problems, they can't own it and spend their energy on containment.

Blocking people on Twitter because we can't take any of our earned butthurt? Silence is a reason authoritarian regimes grow and get out of control, I can't believe the hypocrisy of neo-liberals.

 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15797
  • Country: fr
Re: Adafruit Data Breach
« Reply #13 on: March 07, 2022, 08:53:18 pm »
While I knew there was some "politics" behind Adafruit, I've never really cared. What they have done was all in all not bad at all for hobbyists. But I admit their screw-up here probably comes from poor management, and their attitude regarding communication about it is pretty bad.
 

Offline eti

  • Super Contributor
  • ***
  • !
  • Posts: 1801
  • Country: gb
  • MOD: a.k.a Unlokia, glossywhite, iamwhoiam etc
Re: Adafruit Data Breach
« Reply #14 on: March 07, 2022, 09:23:37 pm »
I don't shop at hipster "Maker" outlets, always get that cringe feeling which puts me right off, and I want no part of. And the sexual orientation BS is repellant, and puts me off even more. No sale, no way.
 
The following users thanked this post: Sal Ammoniac, amyk

Offline free_electron

  • Super Contributor
  • ***
  • Posts: 8550
  • Country: us
    • SiliconValleyGarage
Re: Adafruit Data Breach
« Reply #15 on: March 07, 2022, 09:24:08 pm »
Why is data like that stored on GitHub to begin with ?
Professional Electron Wrangler.
Any comments, or points of view expressed, are my own and not endorsed , induced or compensated by my employer(s).
 

Online oPossum

  • Super Contributor
  • ***
  • Posts: 1472
  • Country: us
  • Very dangerous - may attack at any time
Re: Adafruit Data Breach
« Reply #16 on: March 07, 2022, 10:09:15 pm »
 
The following users thanked this post: thm_w

Offline eti

  • Super Contributor
  • ***
  • !
  • Posts: 1801
  • Country: gb
  • MOD: a.k.a Unlokia, glossywhite, iamwhoiam etc
Re: Adafruit Data Breach
« Reply #17 on: March 07, 2022, 10:24:21 pm »
https://twitter.com/adafruit/status/1500834741041442817

That is worded in an incredibly childish tone - "We will try to earn your trust again"  :palm: - is this company run by 11 year olds? It sounds like an "apology" made under duress, from a naughty child to his headmaster when his parents are called into the office.
« Last Edit: March 07, 2022, 10:27:24 pm by eti »
 

Offline thm_w

  • Super Contributor
  • ***
  • Posts: 7521
  • Country: ca
  • Non-expert
Re: Adafruit Data Breach
« Reply #18 on: March 07, 2022, 11:06:28 pm »
Seems like a reasonable response to me.

The blocking part I don't understand, but also seems to have been resolved:

Quote
FYI, I heard from Adafruit, they have unblocked everyone on their 13yo main account and personal accounts, and did not block anyone in recent days over this issue. The blocks must have been from an earlier period, and are now removed.
Dave Jones @eevblog
Profile -> Modify profile -> Look and Layout ->  Don't show users' signatures
 

Offline Sal Ammoniac

  • Super Contributor
  • ***
  • Posts: 1764
  • Country: us
Re: Adafruit Data Breach
« Reply #19 on: March 07, 2022, 11:51:53 pm »
Newly created repositories on Github are public by default. IMO new repositories should be private by default and the creator should have to tick the Public box to make them public, rather than the other way around. This sounds safer to me and is less likely to inadvertently divulge material that should never have been made public.
"That's not even wrong" -- Wolfgang Pauli
 

Offline Sal Ammoniac

  • Super Contributor
  • ***
  • Posts: 1764
  • Country: us
Re: Adafruit Data Breach
« Reply #20 on: March 07, 2022, 11:56:09 pm »
Their first lie was associating themselves with the mythology of Ada Lovelace (whom I presume the name refers to), which consists in approximately 50% of hype made up by Boomer feminists from the United Satan of America. Don't stick your credit card in crazy seems to apply >:D

If I had a name like Limor Fried I'd probably make up a silly name too.  :popcorn:
"That's not even wrong" -- Wolfgang Pauli
 

Offline thm_w

  • Super Contributor
  • ***
  • Posts: 7521
  • Country: ca
  • Non-expert
Re: Adafruit Data Breach
« Reply #21 on: March 08, 2022, 12:07:42 am »
Newly created repositories on Github are public by default. IMO new repositories should be private by default and the creator should have to tick the Public box to make them public, rather than the other way around. This sounds safer to me and is less likely to inadvertently divulge material that should never have been made public.

Gitlab does this, unlimited private repos.
I think Github used to charge for private repos, thats why they defaulted to everything being public.
Profile -> Modify profile -> Look and Layout ->  Don't show users' signatures
 

Offline Gregg

  • Super Contributor
  • ***
  • Posts: 1156
  • Country: us
Re: Adafruit Data Breach
« Reply #22 on: March 08, 2022, 01:18:08 am »
A classic case of "fruit" spoiling rather than maturing.  >:D
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 21611
  • Country: us
Re: Adafruit Data Breach
« Reply #23 on: March 08, 2022, 01:56:50 am »
Remember when everyone's name, address, and phone number was leaked every year by the phone company?

Even today it's nearly that available. The last time I met a girl I was thinking of going on a date with I googled the phone number she gave me just to see if it was legit or came up with anything sketchy. I was kind of shocked when one of the first links was a page that had her full name, address, when she bought her house and how much she paid for it, the names of family members, the name of the company she works for, the name of her ex, and various other stuff. Searching for myself pretty easily finds similar information except for my phone number. It's really kind of creepy how much information is out there now and how hard it is to prevent it from getting spread around.
 

Online xrunner

  • Super Contributor
  • ***
  • Posts: 7836
  • Country: us
  • hp>Agilent>Keysight>???
Re: Adafruit Data Breach
« Reply #24 on: March 08, 2022, 02:05:55 am »
Remember when everyone's name, address, and phone number was leaked every year by the phone company?

Even today it's nearly that available. ...

I've still got free credit and identity theft monitoring resulting from a US government employee data breach, gosh it's been 15 years ago. I'll probably have it for ten more years last time I talked to them. Since then I've been in breaches from a credit reporting service and a big phone company breach not too long ago. Who knows how many others that are unknown.  :-\

I figure by now any thief that wants to go after me can get my records at will. I just hope that because of the sheer numbers of records out there I'll slip by.  :-DD
I told my friends I could teach them to be funny, but they all just laughed at me.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf