Recently, github.com fell victim to a hacking attack. What started as an attack on coinbase, became an internet-wide attack that exposed sensitive data in some 23,000 repositories. Although WasyaCo uses github, we were not vulnerable in this particular episode. We are happy to report that no private WasyaCo data was leaked: no passwords, no secrets, and no source code were compromised. We were not vulnerable in this attack.

Our security posture protected our digital assets for the following reasons. First, we do not use the functionality that constituted the attack surface. We implement our own equivalent of Actions and, although our implementation is not infallible, it so happens to be less interesting to attackers, than the centralized Github Actions. This also highlights the dangers of centralization: sure, it's easy to give up control of your workflows to some distant entity - until it gets hacked.

Second, we store no credentials or sensitive secrets in the codebase. This was not the vector of attack, and compromised companies had their credentials exposed that were not in the codebase either. Specicifally, secrets in memory were flushed to workflow logs, then made public. But, we have generally taken good care of our secrets. WasyaCo disciplined approach to secret management meant that no credentials or sensitive data were exposed.

This year we have significantly increased our effort and skills in thrawting cyber security attacks. We remain vigilant in protecting our private data, passwords and keys. You can rest assured that our security mechanisms are robust and well-performing.