Credentials stored in Ashley Madison's source code might have helped attackers

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/article/2981553/security/credentials-stored-in-ashley-madisons-source-code-might-have-helped-attackers.html

By Lucian Constantin
IDG News Service
Sept 8, 2015

If you're a company that makes its own websites and applications, make 
sure your developers don't do what the Ashley Madison coders did: store 
sensitive credentials like database passwords, API secrets, authentication 
tokens or SSL private keys in source code repositories.

Judging by the massive amount of data leaked last month by Impact Team 
from AshleyMadison.com's owner Avid Life Media (ALM), the hackers gained 
extensive access to the Canadian company's IT infrastructure.

The ALM data dumps contained customer records and transaction details from 
the Ashley Madison infidelity website, but also the email database of the 
company's now-former CEO and the source code for the company's other 
online dating websites including CougarLife.com and EstablishedMen.com.

A London-based security consultant named Gabor Szathmari has found 
evidence that ALM's developers were careless with sensitive credentials, 
which might have helped attackers once they gained a foothold on the 
company's network.

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/