Canonical, the Ubuntu-maker, has confirmed that their GitHub account was hacked on July 6. The Ubuntu security team issued a statement saying that the credentials of a Canonical owned account on GitHub were compromised.
The unknown attackers used the compromised account to “create repositories and issues among other activities.” The company has now removed the hijacked account from Canonical organization in GitHub.
Ubuntu source code is safe so far
While the extent of the breach is still being investigated, the security team said that there is no indication that the source code or PII was affected.
Moreover, the Launchpad infrastructure where the Ubuntu distribution is built and maintained has been disconnected from GitHub. There is also no sign that it has been affected.
The mirror of the hacked Canonical GitHub account shows that the attacker created 11 new GitHub repositories sequentially named CAN_GOT_HAXXD_1. Surprisingly, those repositories were empty.
So it seems that the hacking incident was limited to defacement only as there is no proof of existing data being changed or deleted.
Meanwhile, a cyber-security firm called Bad Packets, tweeted that it detected internet-wide scans for Git configuration files just two days before the incident.
I'm interested if there's any correlation with the recent mass scanning for exposed git config files. https://t.co/ckGt158CXc
— Bad Packets Report (@bad_packets) July 7, 2019
Sometimes, such files contain credentials for Git accounts, like the ones used to manage the account on GitHub. So there are chances that these two incidents could be related.
However, we will have to wait until the Ubuntu security team finishes its investigation and publishes its final report.