A federal contractor published source codes containing sensitive credentials from the Department of Veterans Affairs, FedScoop reported Sept. 29.
The VA has opened a cyber breach investigation into a July data breach incident after hard-coded administrator account privileges, encrypted key tokens and specific database table information was published on internet hosting service GitHub.
The breach occurred after the contractor had allegedly copied source code from a VA-managed GitHub account and published it on their own personal GitHub account, which was then switched to public mode, allowing others access.
Sources familiar with the matter told FedScoop after the information was published online on July 5, six foreign IP addresses cloned the source code, including at least one from a country hostile to the U.S.
A VA spokesperson told Fedscoop that the compromised credentials are part of system-to-system communications that can only be utilized within the VA network and that it has no evidence of a data breach or data being cloned by other countries or validated by foreign IP addresses.
IT leaders at the VA were not made aware of the incident until Sept. 9 after it was discovered through the Cybersecurity and Infrastructure Security Agency's vulnerability disclosure program.
GitHub, which is owned by Microsoft, is used by government agencies for software development and version control.
Microsoft provided the VA with a detection and response team to conduct an analysis of the security risks posed by the breach of information.
"Copying [source code] from government private side to personal is strictly forbidden, so if the repo was private then that's a firing and dismissal offense," one of the sources told FedScoop.