Sourcegraph seems to have collected a bunch of these (now leaked) email addresses from signups on self-hosted instances.<p>I remember being very surprised when I was signed up to their mailing list after I made an account on my self-hosted instance, and I'm not sure about the ethics (and legality) of collecting these in the first place.
Overall very well handled and communicated. To get 11 points out of 10 remove adjectives from communication. When people read “quickly” they don’t think “oh great they were quick, I’m going to trust them more now”, they think “communication is biased”. Just write facts (ie time stamps or if you don’t have them use “hours” or “same day”).
<i>> accidentally committed a code change that contained an active site-admin access token</i><p>Our regular reminder to try keep credentials and other security tokens well away from any source code where-ever possible, even if that might mean making things a touch less convenient.<p>I'd guess that most of us have checked in or otherwise posted a credential at some point in our careers. I've certainly done it in the past with an application DB connection string and had to do the quick reconfigure to revoke that access¹ – in that instance resolution was quick & easy but for other environments it might be a lot more admin.<p>Being careful isn't the solution because mistakes will always happen, making it damn near impossible to accidentally post credentials is the way to go.<p>--<p>[1] even though the repo checked into could only be accessed from within the company, and the DB instance in question was locked down so only the application servers and the limited few with access to a VPN connecting to its subnet, good practise dictated immediate full revocation just in case
I don't know but it always seems to be worded like in this instance:
"...A small subset of customers’ Sourcegraph license keys may have been accessed..."<p>I don't buy that, it always seems to me like an attempt to downplay something.