Zapier says someone broke into its code repositories and may have customer data

This is the most mealy mouthed disclosure ever. Shame on them.<p>How can an employees 2FA misconfiguration lead to someone else accessing these repos? 2FA setups are supposed to prevent this sort of thing. If I had to guess it was someone on the “devops&#x2F;sre&#x2F;infra” team that usually has god mode access that were setting up some integration and disabled 2FA for testing or something for a test account … but it would have had to be disabled for a while for the attacker to get access.<p>What kind of customer data were they storing in their repository? Were they storing raw webhook data&#x2F;API responses in github gists or something (wouldn’t put it past them).<p>As a sidenote, Ive worked with folks from zapier and Im not impressed with their engineering. Their integrations are super fucking brittle, its like it was designed by toddlers. I would not depend on them for any kind of business critical functionality.

Why is there customer data in code repositories?<p>&gt; The customer data had been “inadvertently copied to the repositories for debugging purposes,” according to an email obtained by The Verge.<p>What on earth? How is this possible?<p>&gt; we audited the contents of the repositories, and we found that in isolated instances, certain customer information had been inadvertently copied to the repositories for debugging purposes.<p>&quot;instances&quot;. Plural.

I never used it because I could never figure out the pricing. Fortuitous.

Zapier’s breach shows that even big SaaS companies can accidentally expose customer data in code repos. If they got hit due to a 2FA misconfiguration, how many other companies are at similar risk without knowing?