Rollbar and similar (Logz.io, Datadog, New Relic, etc) are such honeypots - JACKPOTS - for anyone capable of harpooning their way in that I'm surprised they aren't targeted more frequently.
It looks like every project by default has a standing token with read privileges. It never expires and its not opt-in. Unless I’m missing something, that seems ridiculous.
Hi, Brian from Rollbar here. We believe that the items listed comprise the entirety of the scope. We will be able to state definitively once forensic analysis is complete.
GitHub tokens are not exposed. More specifically: customer credentials stored for third party integrations (i.e. GitHub, Slack, JIRA) are stored encrypted using a key that is not stored in the database, so those are not exposed.
5 comments
[ 3.4 ms ] story [ 40.1 ms ] threadUnless they are.
Not really my wheelhouse.
I’d like to see a more explicit statement that lets us know things like GitHub credentials for source code integration have not been compromised.
“our initial forensic research indicates the unauthorized party accessed data about your account, including:
Rollbar usernames and user email addresses Account names Project and environment names Project access tokens Project service link configuration”
GitHub tokens are not exposed. More specifically: customer credentials stored for third party integrations (i.e. GitHub, Slack, JIRA) are stored encrypted using a key that is not stored in the database, so those are not exposed.
I think you are saying the attacker did or could have aquired the encrypted customer credentials but not the decryption key.
If that is the case could provide some more detail about the type of encryption to reassure us that it can not be brute forced.