gistfile.html

<p>The files that could have been potentially accessed included a ton of sensitive information: SSL keys, database passwords with read/write access to our production databases, basically everything you never want a third party to see. Somebody with access to the database could replace npm modules with malicious payloads. I don't want to blur the truth here: this could have been a disaster. It is very much like the <a href="http://venturebeat.com/2013/01/30/rubygems-org-hacked-interrupting-heroku-services-and-putting-millions-of-sites-using-rails-at-risk/">rubygems.org security breach</a> in early 2013, and we are similarly lucky that the effect was not much much worse.</p>
<p>Thankfully, there's no evidence that, other than ourselves, the engineers who reported the bugs, and a few members of the GitHub security team who knew about the issue, anyone knew about this hole. But, in the interests of transparency, we should be clear that we can't <strong>prove</strong> that: the logs we kept at the time were not sufficiently long-lasting to be able to be sure nobody had ever accessed sensitive data (though we know nobody did it in the month prior to the disclosure). We were just lucky that the first people to find it were friendly and responsible, and we are immensely grateful to Will Farrington and Charlie Somerville for their efforts.</p>