A court has ordered code-sharing website GitHub to hand over details on its users after ride-hailing service Uber accidentally uploaded a sensitive password to the website and was subsequently hacked, the Register reports.
GitHub acts as a collaborative repository for users’ code and projects. They can upload what they’re working on to share their progress, or even work together. But in a serious blunder, an Uber employee uploaded an internal password to the site
With this password, it was possible to access sensitive details on more than 50,000 of Uber’s drivers, including names and licence plates. This security key was subsequently used for just that — at the end of February, the company announced that an “unauthorised third party” had accessed an Uber database. The intrusion took place back in May 2014, and wasn’t discovered until September 2014.
Uber subsequently subpoenaed GitHub, demanding the names of everyone who had accessed the now-deleted post (or “gist”) on GitHub containing the password. According to The Register, Uber says the low levels of traffic on the post “should generally reveal people, who were affiliated with Uber and who worked on the Uber code near the time of the unauthorised download.”
GitHub has lost its challenge, and now has 30 days to comply with Uber’s demands.