Plugin Portal potential data exposure

On 16th August 2022, Gradle Plugin Portal and the Gradle Discourse forums were impacted by a security incident that could have led to exposure of the personal data of some Gradle community members.

No other services, hosted on gradle.org, gradle.com, or elsewhere were impacted.

What happened?

An Amazon Web Services key granting access to database backups that contained personal information for a subset of the Gradle Plugin Portal and Discourse forum users was exposed in a Git commit. This key was exposed for two hours before being revoked.

We believe it is unlikely that the exposure led to an unauthorized access of data, but we are taking actions and notifying impacted individuals out of caution and transparency.

What data was exposed?

We have inspected the database backups to determine what data could have been accessed. The backups were from the development environment that contained data for the Gradle Plugin Portal and Discourse users.

We are emailing affected users to notify them specifically of this incident. If you do not receive an email from us about this incident, you are not affected by it.

The personal data that could have been impacted by the incident likely varies depending on the user but could include information such as email address, display names, and for some individuals, hashed and salted passwords. We have confirmed that no activity has occurred with respect to any account related to any of the hashed and salted passwords potentially impacted by the incident. The following data could have been exposed:

7133 display names, usernames and potential GitHub usernames and email addresses for all users that were present in the development database of the Gradle Plugin Portal

  • Display name and username are already public on the Plugin Portal or Discourse. So is the association with the GitHub username when using GitHub as the identity provider.
  • However, emails are not public on the Plugin Portal or Discourse. If the database was downloaded by a third party, they would be able to link these 7000 Plugin Portal or Discourse usernames to an email address.

3994 usernames and email addresses from a historical version of the Gradle Build Tool Forum

  • Usernames (mixture of handles and display names) are already public on our forums
  • However, email addresses are not public. If the database was downloaded by a third party, they would be able to link these 4008 usernames to an email address.

195 username, email and hashed and salted passwords for un-activated user accounts

  • Hashes were generated using bcrypt
  • None of these users have been activated since the incident
  • Only 2 of those hashed passwords match production users

What data remained safe?

  • None of the publishing keys for any plugin on the production Gradle Plugin Portal were exposed.
  • None of the Plugin Portal artifacts could be replaced.
  • None of the Discourse forums posts could be altered.

What should you do to protect yourself from data abuse?

  • We recommend being extra cautious around Gradle-themed phishing attacks that may seek to target your status as a Gradle plugin author or Gradle forum user. If you have any questions about whether a communication is authentically from Gradle, feel free to reach out to us at security@gradle.com.
  • We recommend using unique and challenging passwords for all of your accounts (Gradle-related or otherwise). Best practice is to use password-manager generated unique passwords for each service.
  • Reach out to us if you have any questions or would like to change the email address of your account by contacting us at plugin-portal-support@gradle.com.

What have we done to respond to the incident?

  • Carried out incident response procedures, including investigating and mitigating the exposure.
  • Enabled Github Push Protection across all repositories organization-wide to prevent secret keys from being accidentally pushed to GitHub
  • Notified potentially affected community members
  • Stale pending user activations have been purged

What will we do to prevent further incidents?

We are taking the following further steps to improve our security and avoid repeat incidents:

  • Stopping passing credentials in command-line arguments for tests
  • Introducing retention policies on our database
  • Cleaning up the development and production databases, deleting unneeded data
  • Enabling S3 access logging account-wide by default
  • Encrypting database backups

Incident Timeline

2022.08.16 at 10:03 UTC
Commit with AWS access key and secret was pushed
2022.08.16 at 10:09 UTC
AWS notified Gradle of this disclosure and automatically applied a quarantine policy that prevents destructive actions from being taken with this key
2022.08.16 at 12:04 UTC
AWS key disabled by Gradle staff
2022.08.16 - 2022.08.23
Internal incident response
2022.08.24
Publication of this blog entry and notifications of affected users

Final words

We are sorry to have been in a position of potentially disclosing information entrusted to us. We are using this incident as a way to improve our internal systems and security to reduce the likelihood of such an event happening again.