GitHub e phatlalalitse liphetho tsa tlhahlobo ea tlhaselo eo, ka lebaka leo ka la 12 Mmesa, bahlaseli ba ileng ba fumana phihlello ea tikoloho ea leru ts'ebeletso ea Amazon AWS e sebelisitsoeng metheong ea morero oa NPM. Tlhahlobo ea ketsahalo e bonts'itse hore bahlaseli ba fumane likopi tsa "backup" tsa moamoheli oa skimdb.npmjs.com, ho kenyeletsoa bekapo ea "database" e nang le lintlha tsa basebelisi ba NPM ba ka bang likete tse 100 ho tloha ka 2015, ho kenyeletsoa li-hashes tsa password, mabitso le lengolo-tsoibila.
Li-password hashes li entsoe ho sebelisoa li-algorithms tse letsoai tsa PBKDF2 kapa SHA1, tse ileng tsa nkeloa sebaka ka 2017 ke bcrypt e hanyetsanang le matla. Hang ha ketsahalo eo e se e tsejoa, li-password tse amehang li ile tsa hlophisoa bocha 'me basebelisi ba tsebisoa hore ba sete password e ncha. Kaha netefatso ea lintlha tse peli e tlamang ka netefatso ea lengolo-tsoibila e kenyelelitsoe ho NPM ho tloha ka la 1 Hlakubele, kotsi ea ho sekisetsa basebelisi e nkoa e se letho.
Ntle le moo, lifaele tsohle tse bonts'ang le metadata ea liphutheloana tsa poraefete ho tloha ka Mmesa 2021, lifaele tsa CSV tse nang le lethathamo la morao-rao la mabitso ohle le mefuta ea liphutheloana tsa poraefete, hammoho le litaba tsa liphutheloana tsohle tsa lekunutu tsa bareki ba babeli ba GitHub (mabitso. are not disclosed) o ile oa oela matsohong a bahlaseli. Ha e le polokelo ka boeona, tlhahlobo ea mesaletsa le netefatso ea li-hashes tsa sephutheloana ha ea ka ea senola bahlaseli ba etsang liphetoho ho liphutheloana tsa NPM kapa ho phatlalatsa mefuta e mecha ea liphutheloana.
Tlhaselo e etsahetse ka la 12 Mmesa ho sebelisoa li-tokens tsa OAuth tse utsoitsoeng tse hlahisitsoeng bakeng sa li-integrator tse peli tsa mokha oa boraro oa GitHub, Heroku le Travis-CI. Ka ho sebelisa li-tokens, bahlaseli ba ile ba khona ho ntša polokelong ea poraefete ea GitHub senotlolo sa ho fihlella Amazon Web Services API, e sebelisitsoeng molemong oa morero oa NPM. Senotlolo se hlahisoang se lumelletse phihlello ea data e bolokiloeng ts'ebeletso ea AWS S3.
Ho feta moo, tlhahisoleseling e ile ea senoloa mabapi le mathata a tebileng a lekunutu a neng a tsejoa nakong e fetileng ha ho sebetsoa data ea mosebelisi ho li-server tsa NPM - li-password tsa basebelisi ba bang ba NPM, hammoho le li-tokens tsa phihlello tsa NPM, li bolokiloe ka mongolo o hlakileng ka har'a li-log tsa kahare. Nakong ea ho kopanngoa ha NPM le mokhoa oa ho rema lifate oa GitHub, bahlahisi ha baa ka ba etsa bonnete ba hore boitsebiso bo tebileng bo tlosoa likōpo ho litšebeletso tsa NPM tse behiloeng ka har'a log. Ho boleloa hore phoso e ile ea lokisoa, 'me likutu li ile tsa hlakoloa pele ho tlhaselo ea NPM. Ke basebetsi ba bang ba GitHub feela ba neng ba khona ho fumana li-log, tse neng li kenyelletsa li-password tsa sechaba.
Source: opennet.ru