Governance & Risk Management , Incident & Breach Response , IT Risk Management

Canonical Investigating Hack of Its GitHub Page

Company Says Ubuntu Linux Source Code Remains Safe
Canonical Investigating Hack of Its GitHub Page

Canonical Ltd., a British company that offers commercial support and services for the popular Ubuntu Linux open source operating system, is investigating the hacking of its GitHub page over the weekend. The incident did not affect the source code for the system, according to a company statement posted on Reddit.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

On Saturday, Canonical's security team spotted an anomaly on the company's GitHub page, with someone attempting to create new accounts and repositories. The user account that started the incident was removed, and the company is investigating the extent of the breach, according to a statement released Sunday.

While there are projects and code related to Canonical on the GitHub page, it's disconnected from the actual Ubuntu Linux source code. The initial investigation determined that no users’ personally identifiable information was compromised, according to the company's statement.

"The launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected," according to the statement posted on Reddit. "We plan to post a public update after our investigation, audit and remediations are finished."

Mysterious Origins

It remains unclear who compromised the GitHub site and what they were attempting to accomplish.

Troy Mursch, an independent security researcher with Bad Packets Report, posted a screengrab of the GitHub site before the Canonical security team removed the user account that started the incident.

Blogger Brian Krebs was also one of the first to take notice of the Canonical breach shortly after it was discovered by other researchers on Saturday.

The screengrabs captured by Mursch show 11 suspect accounts opened around the same time on the Canonical GitHub page and using the same handle - "CAN_GOT_HAXXD" - followed by a number. In another Twitter message, Mursch noted that on Thursday, he had come across internet scans looking for exposed GitHub configuration files.

In a follow-up post, Mursch added that it's not clear if the hack of the Canonical GitHub site and the increase scanning activity are related.

Previous Attacks

In recent years years, Canonical has sustained several data breaches that exposed the personal i7nformation and data of some its users.

The most recent incident involving a Canonical website occurred in July 2016, when the company sent a notification to users that it's forums database had been compromised. While the attackers weren't able to access plain-text password data, other details, such as email addresses, IP addresses and usernames, were exposed, Wired reported.

At about the same time as that incident, hackers launched an even bigger attack against Linux Mint, another popular open source operating system, according to several published reports.

In that case, the attackers went beyond targeting forums and associated sites and zeroed in on the source code. Some users downloaded a backdoor that would open the way for malware to be planted on a PC, according to news reports.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.