Nigerian fintech TeamApt says ‘no data’ leaked in source code breach

TeamApt, a Nigerian payment company has said that no data nor configuration was leaked in a recent source code leak involving dozens of companies across industries like technology, finance, retail, food, ecommerce, and manufacturing which source codes following a misconfiguration in their software.

Tosin Eniolorunda, CEO of TeamApt said the breach was discovered on 26 July after a thorough investigation found that only snapshots of codes resident on our static code analysis tool were exposed.

“This tool is used by the engineering team to scan for vulnerabilities and bugs in our source codes before shipping them. As the tool also keeps a snapshot of the most recently scanned lines of codes, the attackers exploited a vulnerability in this tool which allows users with unauthorised access to scrape recently scanned lines of codes. These code snapshots were what the attackers were able to access,” Eniolorunda told BusinessDay.

Till Kottman, a Swiss-based IT consultant posted a list of about 50 companies that at some point had their source code exposed.

Source code, also referred simply as the ‘source’ of a program, describes a computer program written in a high-level language that is converted into object code or machine code by a compiler. Source code is the stage where a programmer can read and modify a computer program. It contains variable declarations, instructions, functions, loops, and other statements that tell the program how to function.

Read also: Bills to regulate digital economic underway, says Malami

A leak could expose critical information belonging to an organisation and customers. The affected companies in the latest hack include Microsoft, Adobe, Johnson Controls; GE; AMD; Lenovo; Motorola, Qualcomm; Mediatek; Disney; Daimler; Roblox, Nintendo; TeamApt; and various organisations in software, hardware, healthcare, finance, automotive, travel, and industrial sectors.

“The leak was caused by an internal static code analysis tool used to scan for application vulnerabilities,” Eniolorunda said. “No data nor configuration was leaked. We have also gotten the hackers to delete the source codes with no prejudice. We have now patched the Software Composition Analysis (SCA) tool vulnerability and put more security measures in place.”

Kottman said that the source code that was made public mostly proprietarily, comes from exposed DevOps infrastructure. He assured that data with the potential to put people in danger were not released. There was also an effort to censor any credentials they found before making the code public.

“There are multiple aspects to this. It will hopefully show some companies that their own infrastructure also needs to be protected,” Kottman said. “I am also very curious and so are many other people, and this gives an interesting inside view into how (unfortunately often badly) proprietary projects are built.”

Although TeamApt says no harm was done to its data, an analyst who spoke on condition of anonymity, told BusinessDay that companies don’t need data to be breached to be in trouble.

“Once someone sees your code, they know exactly how your app works and they can plot how to break into it. Thieves always seek the house plan or map before they come to rob,” the analyst said.

Widget Code-