A joint analysis of the ransom attack against code repositories hosted on Github, Gitlab and Atlassian Bitbucket earlier this month has confirmed that it was due to users inadvertently leaking access credentials.
Hundreds of users discovered that their public and private repositories had been wiped, with a file containing a ransom note added to them.
Unless the users whose accounts had been compromised paid 0.1 Bitcoin (approximately A$1,140 as of publication) within ten days to recover their data, the attackers threatened to make the code public "or use them otherwise".
The identity of the extortionist has not yet been discovered, but the person or people remains an active threat.
Although the ransom-taking ceased on May 2, scans for publicly exposed .git/config and similar environment files that can hold sensitive credentials and personal access tokens continued for eight days after, from the same internet protocol address that compromised the user accounts.
The small amount - 0.00052525 or approximately A$4.30 - sent to the attacker's Bitcoin address has remained unchanged.
Security teams at the three open source code repository hosting services investigating the attack found a dump of legitimate user credentials on the same provider from which the attacks had originated, and invalidated them to prevent further compromises.
Github, Bitbucket and Gitlab are now confident that the incident was down to users accidentally exposing credentials and personal access tokens on their own servers, and not due to the code hosting services themselves being compromised.
All three Git repositories offer multi-factor authentication for accounts, and recommend that users enable the security feature along with strong and unique passwords.
However, personal access tokens must be kept secure as well, since they can bypass multi-factor authentication and open up repositories like passwords, with read and write access to them.
This is a known security issue, with users again being warned not to expose .git and .git/config directories and files in public repositories and web servers if they contain access credentials.
Github and Gitlab can scan for tokens and warn service providers if they have published access credentials on public repositories.
Bitbucket allows admins to require 2FA for users and supports whitelists to restrict access to specific IP addresses, as an additional security measure.