Samsung leak exposed source code, passwords and employee data

An independent researcher discovered dozens of files set to public.

Samsung was reportedly leaking sensitive source code, credentials and secret keys for several internal projects. According to TechCrunch, independent security researcher Mossab Hussein discovered dozens of exposed files in a GitLab used by Samsung engineers and hosted on a company-owned domain. The projects were reportedly set to "public" and not protected with a password.

The exposed files contained source code for projects like Samsung's SmartThings platform and Bixby services. They also contained credentials that provided access to the Amazon Web Service account that was being used, as well as several employees' GitLab tokens, which provided further access.

A Samsung spokesperson told TechCrunch that the company "quickly revoked" all keys and certificates for the platform, reportedly used for testing. But Hussein said he alerted Samsung on April 10, and the company didn't revoke the GitLab keys until April 30. "The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing," he told TechCrunch.

To Samsung's knowledge, the exposed files weren't tampered with. But for any company, especially one of this scale, a leak like this could be disastrous. It should also be preventable.