Hacker leaks Cisco DevHub data

A hacker known as IntelBroker has leaked 2.9 GB of files from Cisco's publicly accessible DevHub platform. However, Cisco insists that its systems were not breached and attributes the exposure to a configuration error.

What happened

A hacker, known as IntelBroker, has leaked data allegedly stolen from Cisco DevHub, claiming it represents only a fraction of the total haul. The leak, posted on the BreachForums cybercrime forum, includes 2.9 GB of JavaScript, Python, certificates, and library files related to several Cisco products, including Catalyst, IOS, Secure Access Service Edge (SASE), and WebEx.

The incident follows IntelBroker’s October announcement of breaching Cisco systems and obtaining sensitive information, including source code, certificates, encryption keys, and confidential documents. IntelBroker now claims to have downloaded 4.5 TB of data from DevHub, contradicting earlier claims of 800 GB. Such discrepancies are common with this hacker, who has a reputation for making exaggerated statements.

See also: HIPAA Compliant Email: The Definitive Guide

The backstory

On October 14, a hacker known as IntelBroker claimed on a cybercrime forum to have breached Cisco and stolen sensitive information, including source code, credentials, API tokens, and confidential documents. IntelBroker alleged the stolen data also included materials tied to major corporations such as Microsoft, T-Mobile, and Bank of America.

By Friday, October, Cisco launched an investigation and determined its systems had not been breached. Instead, the hacker accessed data from a public-facing DevHub environment—a resource hub for customers to access source code and scripts. Cisco admitted a small number of files not intended for public download were exposed due to a configuration error. While the company initially found no sensitive personal or financial information included, the investigation continued.

To mitigate the issue, Cisco disabled public access to the compromised DevHub environment. 

In other news: 

• U.S. and T-Mobile agree to a $31.5 million data breach settlement
• Bank of America releases notice of massive data breach

What was said

Cisco addressed the situation in its latest updates, emphasizing its confidence that no breach of internal systems occurred. The company reiterated: “We are aware of some recent social media posts made by the actor. Based on information available to us at this time, we believe that the files referenced in the posts are files that we had previously identified during our investigation and reported on.”

Cisco confirmed that the files were downloaded from publicly accessible pages on its DevHub platform and acknowledged that a configuration error led to the inadvertent publication of certain files not intended for public access. “We have determined that the actor downloaded certain files from publicly accessible devhub.cisco.com pages. Some of those files related to a limited set of CX Professional Services customers. We notified these customers directly, provided them with a copy of the relevant files, and have offered our assistance in reviewing those files.”

While the error has been corrected and public access to DevHub restored, Cisco has committed to continuing its investigation and notifying any additional affected customers.

Why it matters

The leak poses potential risks to Cisco customers relying on its products, as the exposed data may provide cybercriminals with insights to exploit system vulnerabilities. The ongoing ambiguity regarding the true scale of the breach raises questions about the transparency and accuracy of initial investigations and incident reports.

Bottom line

While Cisco has maintained that no breach occurred in its internal systems, exposing non-public data indicates the need for rigorous auditing and security protocols for publicly accessible resources. Organizations must remain vigilant, ensuring that sensitive files are appropriately secured to prevent such leaks in the future.

FAQs

What is a public-facing system, and why can it be vulnerable?

A public-facing system is a platform accessible via the internet, such as websites, databases, or resource hubs. If improperly configured, sensitive files may inadvertently be exposed, making them vulnerable to unauthorized access.

How do companies respond to data breaches?

Companies typically:

• Investigate the breach to determine its scope and impact.
• Secure affected systems to prevent further unauthorized access.
• Notify affected individuals and relevant authorities.
• Implement measures to prevent future incidents, such as fixing configuration errors or enhancing security protocols.

Learn more: How to respond to a data breach