Connect with us

Hi, what are you looking for?


Data Protection

Source Code From Major Firms Leaked via Unprotected DevOps Infrastructure

Source code belonging to tens of companies, including several major organizations, has been leaked online after it was found on unprotected DevOps infrastructure.

Source code belonging to tens of companies, including several major organizations, has been leaked online after it was found on unprotected DevOps infrastructure.

Swiss-based IT consultant Till Kottmann has posted a list of roughly 50 companies that at some point exposed source code. For some of the impacted organizations the code has been removed from the repository, but in many cases it’s still available.

Kottmann told SecurityWeek that the source code they’ve made public, much of which appears to be proprietary, mostly comes from improperly configured or exposed DevOps infrastructure. The researcher says the information mainly originates from SonarQube instances, but also from GitLab and Jenkins.

“Some of the things are also sent to me by various sources,” Kottmann explained. “I usually do not know how they obtained the code.”

The list of impacted companies appears to include Microsoft, Adobe, Johnson Controls, GE, AMD, Lenovo, Motorola, Qualcomm, Mediatek, Disney, Daimler, Roblox, Nintendo and various organizations in the software, hardware, healthcare, finance, automotive, travel and industrial sectors.

Source code from many companies leaked

Microsoft did not want to comment on the source code leak. Adobe told SecurityWeek that it’s aware of the website hosting the source code and it’s working on having the content removed. The Adobe source code is still online at the time of publishing.

“We have no evidence to suggest that any Adobe systems or customers have been compromised due to this issue,” the company stated.

Advertisement. Scroll to continue reading.

Kottmann said they try not to release anything that could put individuals in danger and they attempt to censor any credentials they find before making the code public. They also noted that impacted vendors have not been notified, unless important information (e.g. healthcare information) has been identified in the exposed files, in which case the data will not be made public and the vendor will be contacted.

“There are multiple aspects to this [project],” Kottmann explained. “It will hopefully show some companies that their own infrastructure also needs to be protected. I am also very curious and so are many other people, and this gives an interesting inside view into how (unfortunately often badly) proprietary projects are built.”

“In the case of things like Mediatek or Qualcomm this is obviously also about allowing people to do with their (mobile) devices what they please, and make things like custom roms easier,” the researcher added. “Lastly there is also, at least for some of these releases, certainly a political aspect that plays a role, but the other reasons overshadow this mostly.”

Related: BlueLeaks: Data From Hundreds of Law Enforcement Organizations Leaked Online

Related: Hackers Leak Data Stolen From UK Electricity Market Administrator Elexon

Related: Unprotected Database Exposed 5 Billion Previously Leaked Records

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.