When I got to GitHub, I checked my
application.yml
, and it was online with my [Amazon S3] API keys… Crap! I reverted the last few commits, and deleted all traces from GitHub. I was able to clean it up within about 5 minutes and no one else knew about the repo. After a close call, I went to bed.When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes!
Let this be a lesson to treat your API keys/tokens/etc. like your passwords: never expose them. And if they do get exposed – even for just a little while – change them all.
Leave a comment