GitHub ‘encourages’ hacking, says lawsuit following Capital One breach

GitHub has been named in a class action lawsuit because the hacker who allegedly stole data from more than 100 million Capital One users posted details about the theft onto the platform.

GitHub is a code hosting platform for software development version control that uses Git and which lets coders remotely collaborate on projects. Microsoft bought the open-source developers’ site for $7.5 billion in stock in 2018.

The lawsuit, filed in US district court for the Northern District of California, names Capital One as well.

The suit says that GitHub had an obligation under California law and industry standards to keep off or remove Social Security numbers (SSNs) and personal information from its site. It says that it should be easy to do, given that SSNs are all nine digits long, in the sequence of XXX-XX-XXXX, but that GitHub “nonetheless chose not to.” Ditto for the other sensitive information that was leaked and posted, such as individuals’ addresses, which are all “similarly readily identifiable.”

The information was available on GitHub for over three months, until a bug hunter spotted it and notified Capital One.

The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. It also alleges that GitHub is guilty of negligence, negligence per se, and violation of the California civil code.

However, Capital One and GitHub spokespeople told news outlets that the data uploaded to GitHub by the hacker didn’t contain any personal information. ZDNet quoted the GitHub spokesperson:

The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request.

Ex-Amazon systems engineer arrested

Last week, FBI agents arrested 33-year-old Paige A. Thompson, of Seattle – also known by her username “erratic” on social media platforms – for allegedly posting information on GitHub about stealing data from Capital One servers via a misconfigured firewall.

Last Monday, 29 July 2019, FBI agents executed a search warrant at Thompson’s home and seized electronic storage devices allegedly containing a copy of the leaked data.

The devices held nearly 30GB of Capital One credit application data from an unspecified rented cloud data server. Capital One said the breach affected about 100 million people in the US, 6 million in Canada, and any consumer or small business who applied for a credit card in the past 14 years (2005 to early 2019). The data included names, addresses, zip codes, phone numbers, email addresses, dates of birth, and income. Affected data for some customers also included credit scores, credit limits, balances, payment history, contact information, SSNs, and bank account numbers linked to credit cards.

The complaint didn’t identify the cloud-hosting provider from which the Capital One credit data was taken, but it does say that Thompson’s resume indicates that she worked as a systems engineer at the unnamed provider between 2015 and 2016.

Last Monday, the FBI alleged that Thompson, under the “erratic” nickname, talked about hacking Capital One and other companies in Twitter direct messages. She also used a public Meetup group, the FBI said, again using her “erratic” alias to invite others to join a Slack channel named “Netcrave Communications.”

Lawsuit says GitHub encourages “friendly hacking”

The 28-page lawsuit, filed on Thursday, asserts that GitHub “actively encourages (at least) friendly hacking.” The suit points to a GitHub repository named “Awesome Hacking” that lists resources for hacking, bug bounties, fuzzing, penetration testing, reverse engineering and more.

But like other platforms that host links to other user-provided content such as that provided by Awesome Hacking, GitHub staff or management aren’t associated with that repository. Rather, it’s owned by a GitHub user who identifies themselves as a security researcher and who claims to live in India.

Awesome Hacking is only one of thousands of GitHub repositories that host similar hacking and pen-testing materials, none of which are illegal. The lawsuit doesn’t acknowledge that GitHub users are responsible for posting content that abides by the platform’s rules, not GitHub itself.

Sabita Soneji, a lawyer for the plaintiffs, told Newsweek that GitHub has an obligation to filter posts and offer some monitoring for information posted on its platform.

Newsweek quoted a GitHub spokesperson’s response:

GitHub promptly investigates content, once it’s reported to us, and removes anything that violates our Terms of Service.