Back in 2017, Facebook suffered a source code leak, initially believed to have been the result of either a developer intentionally leaking it or a security loophole in company servers. The source code leak gave away critical information about the application’s structure and development practices, which ultimately raised some serious data privacy concerns. Once the leak was publicly announced, Facebook said it was not caused by a data breach, but by a misconfigured web server, forgoing the usual mention of a ‘glitch’.
In 2020, there have been two major source code leaks worth mentioning: Intel and Windows, both occurring within weeks of each other. In early August, some 20 GB of Intel’s intellectual property and source code were leaked, including BIOS source code, software simulators, and SpaceX cameras firmware. Soon after, at the end of September, source code for Windows XP SP1 and Windows Server 2003 was leaked.
In 2015, The U.S. Department of Homeland Security warned that 90% of cyber breaches occur from code vulnerability exploits. The situation has not really improved in the meantime, as another industry report points out that 75% of data breaches are still caused by source code leaks which include passwords and access keys.
It is not that uncommon for corporate, confidential information or source code to end up on the internet for public access. Most often, technical leakage can be the result of software misconfigurations, malicious exploits or simply human errors. In some cases, software developers will intentionally leak source code on public platforms to try and save a project when it reaches end-of-life. Others are not guided by good intentions, and are more interested in malicious activities. This type of nefarious developers will inject malicious code to infect others working on it or downloading it.
Company secrets can easily be leaked online on external public platforms. If you are concerned that your technical secrets may have been compromised, you can take a look at the following platforms:
- Cloud-based, collaborative code repositories such as GitHub, Bitbucket, GitLab, or Azure DevOps Services
- Paste sites such as Pastebin, ControlC, Hastebin, or Privatebin
- Online forums such as 4chan
- Databases such as MongoDB
- Darknet forums
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
Willful or not, technical leaks can have a negative impact on business operations and reputation among consumers and partners. If code is publicly revealed, third-parties can leverage it to pursue illegal activities that may harm the company, such as developing fraudulent websites to impersonate the brand or scan the source for exploits. Once they gain access to the code, malicious actors can remove protection, initially embedded to prevent piracy, and build their malicious program on that code. Competitors are also worth mentioning, because they might take advantage of the leak to get hold of intellectual property or engineering secrets they can use against you. This can compromise infrastructure security, your revenue, and investments.
Source code leaks are bad news and have affected companies from multiple industries. While some may believe that only video game or technical companies can fall victim to this type of risks, retail, manufacturing, healthcare, banking, and local government organizations have also experienced this type of data compromise throughout the years. Sometimes, the lack of manpower or resources prevents companies from properly monitoring their digital footprint, and source code leaks may stay unnoticed for weeks. Luckily, there are some digital risk protection tools available that could help with real-time monitoring to expand platform coverage.