On August 16, 2022, an AWS access key granting access to database backups was accidentally committed to a Git repository and exposed for approximately two hours before being revoked. The incident potentially exposed personal data of Gradle Plugin Portal and Discourse forum users, including 7,133 display names, usernames, and email addresses; 3,994 usernames and emails from a historical forum; and 195 hashed and salted passwords for unactivated accounts. Plugin publishing keys, artifacts, and forum posts were not affected. Gradle has responded by enabling GitHub Push Protection, purging stale accounts, and plans to encrypt backups, introduce data retention policies, and enable S3 access logging.
Table of contents
Plugin Portal Potential Data ExposureWhat happened? #What data was exposed? #What data remained safe? #What should you do to protect yourself from data abuse? #What have we done to respond to the incident? #What will we do to prevent further incidents? #Incident Timeline #Final words #Sort: