A GitHub repository was public-viewable

Update March 7, 2022: We appreciate the feedback from the community and our customers, and additionally emailed users as part of this disclosure (and Discord, live video shows). We apologize for not doing that in parallel as the post/disclosure on Friday, March 4, 2022.

A GitHub repository was public-viewable

We’ve recently become aware of an inadvertent private-to-public viewable GitHub repository that could have enabled unauthorized access to information about certain user accounts on or before 2019.

The inadvertent disclosure involved an auditing data set used for employee training becoming public, on a GitHub repository associated with an inactive former employee’s account who was learning data analysis. The repository contained some names, email addresses, shipping/billing addresses and/or whether orders were placed successfully via credit card processor and/or PayPal, as well as details for some orders. There were no user passwords or financial information such as credit cards in the data analysis set.

Within 15 minutes of being notified about the inadvertent disclosure, Adafruit worked with the former employee, deleted the relevant GitHub repository and the Adafruit team began the forensic process to determine what and if there was any access and what type of data was involved. Although we are unaware of any actual misuse of the information, we are providing this notice to you for transparency and accountability. We are additionally putting in place more protocols and access controls to avoid any possible future data exposure and limiting access for employee training use.

As a reminder, for your security, we will never send you a link to reset your password as part of a security alert, our customer support team will never contact you asking for your password. If you receive an email of this nature, or otherwise suspect that someone is attempting to gain access to your account or solicit your personal information, or have any other questions about this process, please contact us at security@adafruit.com

We would also like to thank all individuals who have and continue to contribute to the security of our users by disclosing vulnerabilities to us responsibly https://www.adafruit.com/reportingsecurityissues

Why aren’t we sending an email to every user?
We evaluated the risk and consulted with our privacy lawyers and legal experts, and took the approach that we thought appropriately mitigated any issues while being open and transparent and did not believe emailing directly was helpful in this case. Adafruit publishes all security disclosures on our blog and security pages. There is no action for the users to perform. There were no user passwords or financial information such as credit cards in the data analysis set.

Update March 7, 2022: We appreciate the feedback from the community and our customers, and additionally emailed users as part of this disclosure (and Discord, live video shows). We apologize for not doing that in parallel as the post/disclosure on Friday, March 4, 2022.

We will continue to update the disclosure page with additional details and/or clarifications. The data set was unintentionally made public during an employee exit procedure handoff.

Update March 7, 8, 9, 10, 2022: Users notified via email (emails will contain “datanotifications” and be from the adafruit.com domain), Discord, & live video show(s) “Show and Tell”, ASK an ENGINEER.

https://www.adafruit.com/reportingsecurityissues
https://www.adafruit.com/responsibledisclosurethanks

Previous disclosure post(s):
https://blog.adafruit.com/2016/11/01/keeping-your-account-protected/

Phillip Torrone, Managing Director & Limor “Ladyada” Fried, founder and the Adafruit team – Adafruit, 150 Varick Street, NY, NY 10013


Here are additional notes and video clips from our shows during the disclosure, as we worked with our community, answered questions via email, live video chats and more, we’ve collected them and put them here to preserve them and refer to later as needed. ASK AN ENGINEER MARCH 10, 2022 (12 min, 38 sec).

Why does anyone have access to PII other than for the actual operation of the web site and business?
• Employees at Adafruit only have access to or use PII for the necessary operation of the business and web site. The PII in this incident was data used in a legitimate monthly audit. The code and dataset folder the employee was working on were committed to their private GitHub account, without our knowledge and against our internal policies and standard practices, during the hand-off from the previous employee running the auditing tool.
• We chose the phrases “training” and “learning data analysis” in our disclosure because the incident occurred during the handover of the task, while training the employee to run the audit. The employee was not performing purely “learning / training” exercises using PII.
• Neither employee had access to PII data directly from our production database. The PII was part of a monthly generated order history report used to perform the audit.
• We are taking further steps designed to ensure that any generated report contains the minimum necessary customer information and are introducing additional training and education for the handful of Adafruit employees who interact with this type of data.

Is there something unique about Adafruit that prevents simulated, generated or otherwise “masked” data from being used development and testing?
• Adafruit uses simulated / scrubbed / “masked” data in development and testing environments and has for several years. We take appropriate steps designed to ensure that we do not use unscrubbed customer data in development or testing environments.

Additionally is there any limitation to which employees should be able to access PII and other sensitive data?
• Yes, several. We have an internal permissions system which are designed to prevent access to any tools, systems, or reports that are out of scope for a given employee’s role and responsibilities. Adafruit employees do not have access to our production database outside of a handful of trained IT professionals. We are taking further training and education steps with our staff in light of what happened here.


Stop breadboarding and soldering – start making immediately! Adafruit’s Circuit Playground is jam-packed with LEDs, sensors, buttons, alligator clip pads and more. Build projects with Circuit Playground in a few minutes with the drag-and-drop MakeCode programming site, learn computer science using the CS Discoveries class on code.org, jump into CircuitPython to learn Python and hardware together, TinyGO, or even use the Arduino IDE. Circuit Playground Express is the newest and best Circuit Playground board, with support for CircuitPython, MakeCode, and Arduino. It has a powerful processor, 10 NeoPixels, mini speaker, InfraRed receive and transmit, two buttons, a switch, 14 alligator clip pads, and lots of sensors: capacitive touch, IR proximity, temperature, light, motion and sound. A whole wide world of electronics and coding is waiting for you, and it fits in the palm of your hand.

Join 32,000+ makers on Adafruit’s Discord channels and be part of the community! http://adafru.it/discord

Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7pm ET! To join, head over to YouTube and check out the show’s live chat – we’ll post the link there.

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Follow Adafruit on Instagram for top secret new products, behinds the scenes and more https://www.instagram.com/adafruit/

CircuitPython – The easiest way to program microcontrollers – CircuitPython.org


Maker Business — Foxconn executive discusses the dramatically scaled back project in Wisconsin

Wearables — Flex your mind, flex your circuit board

Electronics — Damp Sponge vs Drenched Sponge

Python for Microcontrollers — Python on Microcontrollers Newsletter: New CircuitPython and MicroPython Minor Updates and More! #Python #CircuitPython @micropython @ThePSF

Adafruit IoT Monthly — eInk Postcard, VR Spectrum Instrumentation, and more!

Microsoft MakeCode — MakeCode Thank You!

EYE on NPI — Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey

New Products – Adafruit Industries – Makers, hackers, artists, designers and engineers! — JP’s Product Pick of the Week 6/28/22 USB/DC/Solar LiPo Charger bq24074 @adafruit @johnedgarpark #adafruit #newproductpick

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at AdafruitDaily.com !



No Comments

No comments yet.

Sorry, the comment form is closed at this time.