The company's developers were careless with sensitive credentials and secret keys, a security consultant found. If you’re a company that makes its own websites and applications, make sure your developers don’t do what the Ashley Madison coders did: store sensitive credentials like database passwords, API secrets, authentication tokens or SSL private keys in source code repositories.Judging by the massive amount of data leaked last month by Impact Team from AshleyMadison.com’s owner Avid Life Media (ALM), the hackers gained extensive access to the Canadian company’s IT infrastructure.[ ALSO ON CSO: Ashley Madison still a top lure for scammers and crooks ]The ALM data dumps contained customer records and transaction details from the Ashley Madison infidelity website, but also the email database of the company’s now-former CEO and the source code for the company’s other online dating websites including CougarLife.com and EstablishedMen.com. A London-based security consultant named Gabor Szathmari has now found evidence that ALM’s developers were careless with sensitive credentials, which might have helped attackers once they gained a foothold on the company’s network.In the leaked ALM source code repositories Szathmari found hard-coded weak database passwords, API access credentials for a cloud-based storage bucket on Amazon’s Simple Storage Service (S3), Twitter OAuth tokens, secret tokens for other applications and private keys for SSL certificates. “The end result of sensitive data stored in the source code repos is a much more vulnerable infrastructure,” Szathmari said Monday in a blog post. “Database credentials, AWS tokens probably made the lateral movement easier for the Impact Team, leading to the full breach of Ashley.”Szathmari advises all companies to remove sensitive credentials from their source code or Wiki pages. Hard-coding such secrets makes it harder to later change them and potentially exposes them to unwanted people when the source code is committed to internal or external repositories.The problem is so common that Amazon Web Services (AWS) issued a warning about it last year after thousands of AWS secret keys were found in public source code repositories hosted on GitHub.Also last year, URL shortening service Bitly suffered a data breach after hackers used a compromised developer account to access the company’s source code repository and steal credentials for its offsite database backup that were stored there. Related content news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Cyberattacks Cybercrime news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security feature How to maintain a solid cybersecurity posture during a natural disaster Fire, flood, eathquake, hurricane, tornado: natural disasters are becoming more prevalent and they’re a threat to cybersecurity that isn’t always on a company’s radar. Here are some ways to prepare for the worst. By James Careless Nov 30, 2023 8 mins Security Operations Center Data and Information Security Security Practices news analysis Attackers could abuse Google's SSO integration with Windows for lateral movement Compromised Windows systems can enable attackers to gain access to Google Workspace and Google Cloud by stealing access tokens and plaintext passwords. By Lucian Constantin Nov 30, 2023 8 mins Multi-factor Authentication Single Sign-on Remote Access Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe