top | item 43110615

(no title)

ciguy | 1 year ago

OP seems to think that using a .env file means your key can't be leaked because it's not in a git repo. I would bet good money one of their devs accidentally committed it, or that they put it on a server somewhere and it's being served up as a regular file.

discuss

eightysixfour|1 year ago

It happened again after rolling it, so a dev’s machine is compromised, the prod infra is, or they’re straight serving the key somewhere.

ciguy|1 year ago

Exactly. If I had to bet I would guess their server is just straight up serving the file. I've seen that way too many times.

DannyBee|1 year ago

Agreed. It doesn't even have to be direct. Maybe somebody committed their shell history, or something.