Carlo van Wyk, a South African web developer, said that he lost $6,500 (£4,250) in just a few hours because of a flaw in a tool for using Microsoft’s Visual Studio IDE with code-sharing site GitHub inadvertently exposed his sensitive data.
He used the GitHub Extension for Visual Studio 2015 to commit one of his local Git code repositories to a private repository on GitHub. However, an unknown to him at the time the bug in the extension, developed and maintained by GitHub itself, caused his code to be committed to a public GitHub repository, rather than a private one as he intended.
Once he reported the bug, both of the concerned companies fixed it.
According to a report published in The Register, within around ten minutes after publishing his code, he received a notification from Amazon Web Services telling him his account had been compromised. He had included an AWS access key in the code that he had committed to GitHub.
Although, he immediately changed his AWS root password, revoked all of his access keys, and created new ones, within hours the crooks had managed to sign him up for AWS’s Elastic Compute
Cluster and fire off more than 20 instances in each EC2 region.
After that his AWS account had racked up a bill of $6,484.99.
AWS was not available for the comment, as per The Register. However, GitHub has apologized for the error in its code, regarded it as “inexcusable.”