Interesting.<p>It's also interesting that Facebook developers are using Pastebin for things such as this. I would assume that they'd have an internal wiki, or gist-like app.<p>It's also noteworthy to see how they set up their accounts: first initial, full lastname—same standard as many other companies. But seeing it laid out can help in the guessing of other names (or common name occurances, as you don't even need a full first name).<p>While some leaks may not even be effective outside Facebook's internal network (things such as database credentials, network shares… hopefully), having actual code that may be in production does pose a risk. The possiblity to see where, for instance, data isn't fully sanitized, or where information being fetched might not require proper authentication[1] is more worrying. Facebook is known for promoting "move fast and break things". Hopefully they have good QA and SDET teams to catch these things.<p>[2] One code snippet features the following:
> // TODO: add privacy checks!
Tangentially related, I'd like an opinion on this:<p><i>>Okay, so it's not the most secure password. But Facebook's database servers are heavily firewalled. Though if you do manage to break in to Facebook's servers, there's the password.</i><p>What is the point on even having a database password? The application itself needs access to the database, so the application needs to know the password.<p>That means that an attacker who gains access to the application can easily just look at the file where the password is stored and then use that to access the database.<p>Even if you'd go great lengths at keeping asking for the password at server start and only keeping it in memory - once an attacker is on the application server, the password is in memory and can be snooped.<p>So the question is: Why even use a password for the web application? In my case, I'll just let the application servers connect to the database without password.
fascinating stuff. I'm still amazed at how many username/passwords are freely available via github search:<p><a href="https://github.com/search?p=96&q=gmail+password&ref=searchresults&type=Code&utf8=%E2%9C%93" rel="nofollow">https://github.com/search?p=96&q=gmail+password&ref=searchre...</a><p>even if they have 2-step auth setup, people choose "complete the email address" as a form of authentication which you can most likely get from their github profile.<p>the moral of the story here is - if you do not want someone to find it - do not publish it online
Part 2; <a href="http://sintheticlabs.com/blog/a-look-inside-facebooks-source-code-part-2.html" rel="nofollow">http://sintheticlabs.com/blog/a-look-inside-facebooks-source...</a>
I found an interesting post from "karthimx" [1] made on Jun 30, 2010.<p>It too contains the password "e5p0nd4". This user didn't do any hacking or googling but got this error browsing facebook. He says "Suddenly I got this error message in Facebook" (so apparently inside the production environment, wtf?).<p>[1] <a href="https://forums.digitalpoint.com/threads/facebook-error-message.1855399/" rel="nofollow">https://forums.digitalpoint.com/threads/facebook-error-messa...</a><p>[2] <a href="http://www.zyngaplayerforums.com/archive/index.php/t-545034-p-3.html" rel="nofollow">http://www.zyngaplayerforums.com/archive/index.php/t-545034-...</a> - Another one from 2010!
Reminds me somewhat of this <a href="https://twitter.com/dumpmon" rel="nofollow">https://twitter.com/dumpmon</a> which monitors all pastes for email and password dumps. You can use <a href="https://haveibeenpwned.com/" rel="nofollow">https://haveibeenpwned.com/</a> to search if your email has ever been leaked/dumped.
Pastebin has TONS of stuff lying around, it's pretty fascinating. I've always wanted to spend some time digging around there, but haven't gotten around to it.