Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Delivered-To: davem@devkitpro.org
- Received: by 2002:a92:9f18:0:0:0:0:0 with SMTP id u24csp2251361ili;
- Fri, 8 Feb 2019 10:25:40 -0800 (PST)
- X-Google-Smtp-Source: AHgI3IbUJe5f+Jt6VUb4RvZ5SLEcfw2s37OL6ecgLWaiJnJg8mZw8hWYZ766sKjS6Pq/Gjj8Iu4h
- X-Received: by 2002:a17:902:8d8d:: with SMTP id v13mr4866870plo.121.1549650340314;
- Fri, 08 Feb 2019 10:25:40 -0800 (PST)
- ARC-Seal: i=1; a=rsa-sha256; t=1549650340; cv=none;
- d=google.com; s=arc-20160816;
- b=QAj8W9V1Slb9dL1TsCrIdd/F7uKT6lR8cyyFfVsyOCaS0NRXYnLAcN1Fiz92oGY4a9
- v9EyOY5S2xxLZXRRLfXThJj30juR4TsS6nB6pLQG6P4HYSv1ZblGyXmXFfdizwSOX8T7
- Gf5uueM3fK5KWvVXu/OPPdF8qJo53rTU4RXqIpiYW+Tl+gsysFWtBcFjUZSGKByGop+J
- ZnQLmI1jaMrzO+iAdZK36+caX3wf0KcVGFd1h7HofyeLcc9XCK1ra4d4nCr6vkmQ5mv7
- meo7gOCRlu4/Pj5l12RCXSxtiQN2dDUkrGlLE8N6B+f/5yuu8G5aPQayKSweIYBEd+w6
- 5Z7A==
- ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
- h=to:subject:reply-to:references:mime-version:message-id:in-reply-to
- :from:dkim-signature:date:content-transfer-encoding:auto-submitted;
- bh=8vDRYGMbNSkKINXHvFCaZ00evqtQy5AxVNb7EVcoK3w=;
- b=rh9PgcY47VrHG9dCkbpY+RuZr60LXYl6l8N4faaygs0elX4Zo+wzFjy7tp01RW7Cib
- whRYxRp4t7lbD7HD/9o9odsz6OVxJP+tY4uVM2cYRpiFhRzG0JrtLUCb1/CK2ulgMOnK
- IpFOcwqOXeb6MkMGKaDIxKOD9MESdQFK9udniRn6THAv7eDGHgWcrerZIUjWvW/z1bwS
- wCsjaMywCIzYub+EXgOYPb9u0SgcC4dioRpR/+e33+k3FAJ11Q7crQ7puxzEZzqlqm5Q
- 3MOYL22EtAgT4HJtVjC5ERipmzR91gDQzvBztgDX84nT4dAeofpp+bS0Fyw/4QvX8QGC
- F1pQ==
- ARC-Authentication-Results: i=1; mx.google.com;
- dkim=pass header.i=@zendesk.com header.s=zendesk1 header.b=HWOLawSi;
- spf=pass (google.com: domain of support@gitlab.com designates 192.161.153.72 as permitted sender) smtp.mailfrom=support@gitlab.com;
- dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=gitlab.com
- Return-Path: <support@gitlab.com>
- Received: from out5.pod5.iad1.zdsys.com (out5.pod5.iad1.zdsys.com. [192.161.153.72])
- by mx.google.com with ESMTPS id j28si2699655pgm.160.2019.02.08.10.25.39
- for <davem@devkitpro.org>
- (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
- Fri, 08 Feb 2019 10:25:40 -0800 (PST)
- Received-SPF: pass (google.com: domain of support@gitlab.com designates 192.161.153.72 as permitted sender) client-ip=192.161.153.72;
- Authentication-Results: mx.google.com;
- dkim=pass header.i=@zendesk.com header.s=zendesk1 header.b=HWOLawSi;
- spf=pass (google.com: domain of support@gitlab.com designates 192.161.153.72 as permitted sender) smtp.mailfrom=support@gitlab.com;
- dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=gitlab.com
- Received: from localhost (localhost.localdomain [127.0.0.1]) by out5.pod5.iad1.zdsys.com (Postfix) with ESMTP id 477BC1A3429 for <davem@devkitpro.org>; Fri,
- 8 Feb 2019 18:25:39 +0000 (UTC)
- Auto-Submitted: auto-generated
- Content-Transfer-Encoding: 7bit
- Content-Type: multipart/alternative; boundary="--==_mimepart_5c5dc9a29515b_db943fa2ae2bcf601060bc"; charset=utf-8
- Date: Fri, 08 Feb 2019 18:25:38 +0000
- Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zendesk.com; q=dns/txt; s=zendesk1; t=1549650338; bh=8vDRYGMbNSkKINXHvFCaZ00evqtQy5AxVNb7EVcoK3w=; h=date:from:reply-to:to:message-id:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding; b=HWOLawSiC+f0MeMKoH9d15lg+ux6XAGGPj5npNc6+nv4Drg+1LYZ/FZnGyBiAhNqwG/BART4KuzTo8xYtudnd6M2G0Q36+nDLRqYFsAMVwBJNDoStJaa2tShEwnHb8uCsKmzxbEafys5jN6/3T3em7ddd/baFQJdrT+6gB6HMXs=
- From: "Security Team (GitLab Support)" <support@gitlab.com>
- In-Reply-To: <CAAjerbKo1JZuVtV_Onc3WupGG4orKAbT=3Pt0rKC3_+BhkUKzg@mail.gmail.com> <XZVE8Z2GDO_5c5d76ff9d272_1712e3ffb77ebcf5088618_sprut@zendesk.com>
- Message-Id: <XZVE8Z2GDO_5c5dc9a2ee37_db943fa2ae2bcf601059cf_sprut@zendesk.com>
- Mime-Version: 1.0
- Received: from out1.pod14.use1.zdsys.com (out1.pod14.use1.zdsys.com [10.217.92.183]) by out5.pod5.iad1.zdsys.com (Postfix) with ESMTP id D55AA1CCBE5 for <davem@devkitpro.org>; Fri,
- 8 Feb 2019 18:25:38 +0000 (UTC)
- Received: from localhost (localhost.localdomain [127.0.0.1]) by out1.pod14.use1.zdsys.com (Postfix) with ESMTP id D03F51800097 for <davem@devkitpro.org>; Fri,
- 8 Feb 2019 18:25:38 +0000 (UTC)
- Received: from zendesk.com (unknown [10.217.102.79]) by out1.pod14.use1.zdsys.com (Postfix) with ESMTP id 9E50B1800096 for <davem@devkitpro.org>; Fri,
- 8 Feb 2019 18:25:38 +0000 (UTC)
- References: <XZVE8Z2GDO@zendesk.com> <XZVE8Z2GDO_5c5d76ffa8c1c_1e5883fdae68bcf582693d0_sprut@zendesk.com> <XZVE8Z2GDO_5c5d74793b54d_fe6f3f97414bcf5427294f_sprut@zendesk.com> <XZVE8Z2GDO_5c57c44dea19c_32793feeb3cbcf501560d5_sprut@zendesk.com> <XZVE8Z2GDO_5c57d0be4803d_d2dd3fe6ef2bcf58799b9_sprut@zendesk.com> <CAAjerbKo1JZuVtV_Onc3WupGG4orKAbT=3Pt0rKC3_+BhkUKzg@mail.gmail.com> <CAB64wYHKyj27nLtR_LBPijz5onvzd2kXC9j5wYzK8if0quQBUg@mail.gmail.com>
- Reply-To: GitLab Support <support@gitlab.com>
- Subject: [GitLab, Inc.] Re: compromised account
- To: Dave Murphy <davem@devkitpro.org>
- X-Auto-Response-Suppress: All
- X-Delivery-Context: event-id-602252322794
- X-Mailer: Zendesk Mailer
- X-Zendesk-From-Account-Id: 2cbf2e0
- X-Zendesk-Message-Id: <XZVE8Z2GDO_5c5dc9a2ee37_db943fa2ae2bcf601059cf_sprut@zendesk.com>
- ----==_mimepart_5c5dc9a29515b_db943fa2ae2bcf601060bc
- Content-Type: text/plain; charset=utf-8
- Content-Transfer-Encoding: quoted-printable
- ##- Please type your reply above this line -##
- Your request (113388) has been updated. To add additional comments, reply t=
- o this email.
- ----------------------------------------------
- Security Team, Feb 8, 13:25 EST
- Hi Dave
- My name is Paul Harrison, the Senior Security Engineer who investigated thi=
- s incident. I'm sorry for the delayed investigation and response, =
- and I am now leading an effort to improve the end-to-end handling of securi=
- ty engagements so these delays don't occur in the future.
- Here is my assessment of the events to answer your questions as best as pos=
- sible, some were mentioned by Tom Atkins prior:
- - The attacker was seen making a single login attempt, which was successful=
- , at 20:23 UTC.
- By having no failed attempts and immediately succeeding this would imply th=
- e attacker had prior knowledge of the password obtained from another source=
- such as a website/database breach or phishing attack. Additionally, witho=
- ut two-factor authentication being enabled on the account there were no oth=
- er barriers to prevent access.
- - The password change was performed almost immediately following the succes=
- sful login, also at 20:23 UTC.
- The password change procedure in GitLab requires the user to enter the exis=
- ting password in addition to entering the new password in duplicate. This =
- is to prevent many forms of account takeovers but unfortunately ineffective=
- when the attacker has knowledge of the existing password.
- We will investigate ways to improve the password change notification to inc=
- lude functionality such as the ability to disable access to an account or a=
- means of urgently notifying us of an issue, as I agree that while the emai=
- l notice is valuable it does not provide you with much recourse. Unfortuna=
- tely in this specific circumstance these two suggestions, or the one you pr=
- ovided to prevent the change, would not have been adequate to prevent or mi=
- tigate the incident due to the delay between the event and when you saw the=
- notice as well as the attackers knowledge of the existing password.
- - Between 20:23 UTC and 20:49 UTC the attacker accessed, downloaded, and de=
- leted many (if not all) repos while logged in as WinterMute.
- I can confirm the attacker downloaded archives of the following projects un=
- der WinterMute and devkitpro prior to deleting them. We are unable to rest=
- ore these projects.
- <redacted>
- We have retained audit and application logs of this event however as they m=
- ay contain personal data of third parties we are unable to release this inf=
- ormation without a court order or subpoena.
- As Tom mentioned in his previous email we recommend all users to use strong=
- , unique, passwords and enforce two-factor authentication on all online acc=
- ounts. Had 2FA been enabled the attacker could not have accessed this acco=
- unt.
- Please let me know if you have any additional questions or comments.
- Thank you,
- Paul Harrison
- Senior Security Engineer, Security Operations | GitLab, Inc.
- Security Team
- GitLab, Inc.
- ----------------------------------------------
Add Comment
Please, Sign In to add comment