Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

OP seems to think that using a .env file means your key can't be leaked because it's not in a git repo. I would bet good money one of their devs accidentally committed it, or that they put it on a server somewhere and it's being served up as a regular file.


It happened again after rolling it, so a dev’s machine is compromised, the prod infra is, or they’re straight serving the key somewhere.


Exactly. If I had to bet I would guess their server is just straight up serving the file. I've seen that way too many times.


Agreed. It doesn't even have to be direct. Maybe somebody committed their shell history, or something.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: