Zapier says someone broke into its code repositories and may have customer data
13 comments
·March 1, 2025pm90
toomuchtodo
Disclosure: ex-Zapier employee, shareholder, biased disclosed, I have zero information or access today. Thoughts and opinions always my own.
I’m not sure who you worked with, but I worked for several years with both engineers and the CTO, and I strongly disagree with your assertion regarding their engineering prowess. It is one of the most engineering focused companies I have ever worked at in ~25 years, and at least while I was there, the bar was high (and continued to rise during my tenure).
Security is hard, perfect security is impossible. You prioritize workload to the best of your ability, and hope you outrun adversaries. Sometimes, you will lose, and you have a plan for that. People are always the weakest link.
Integrations are brittle because integrating with thousands of APIs is hard, and APIs are constantly changing underneath the system. In my opinion, the core was robustly architected and implemented (although it has changed over time).
(head of security at a fintech, 10+ years security in financial services)
justapeon
[dead]
hassleblad23
Cant comment on rest of your points, but as someone who has worked on Zapier-like 3rd party integrations a lot, it is much harder than it appears.
stenius
I know lots of people that have their 2 factor auth setups on the same computer they are using to login. If you can compromise that computer, there's no additional "2fa" needed.
All it takes is some engineer that needs admin access for their job installing something.
mvdtnz
Why is there customer data in code repositories?
> The customer data had been “inadvertently copied to the repositories for debugging purposes,” according to an email obtained by The Verge.
What on earth? How is this possible?
> we audited the contents of the repositories, and we found that in isolated instances, certain customer information had been inadvertently copied to the repositories for debugging purposes.
"instances". Plural.
Kye
I never used it because I could never figure out the pricing. Fortuitous.
null
1123581321
It’s been either free or $20/mo for a long time. You use the free version until you hit a paywall.
They’re a cool company, all or mostly self-funded and from the Midwest (St Louis, IIRC.) I hope this isn’t too damaging.
null
linwangg
Zapier’s breach shows that even big SaaS companies can accidentally expose customer data in code repos. If they got hit due to a 2FA misconfiguration, how many other companies are at similar risk without knowing?
Puts
Similar things have happened before:
https://gizmodo.com/amazon-engineer-leaked-private-encryptio...
"An Amazon Web Services (AWS) engineer last week inadvertently made public almost a gigabyte’s worth of sensitive data, including their own personal documents as well as passwords and cryptographic keys to various AWS environments."
null
This is the most mealy mouthed disclosure ever. Shame on them.
How can an employees 2FA misconfiguration lead to someone else accessing these repos? 2FA setups are supposed to prevent this sort of thing. If I had to guess it was someone on the “devops/sre/infra” team that usually has god mode access that were setting up some integration and disabled 2FA for testing or something for a test account … but it would have had to be disabled for a while for the attacker to get access.
What kind of customer data were they storing in their repository? Were they storing raw webhook data/API responses in github gists or something (wouldn’t put it past them).
As a sidenote, Ive worked with folks from zapier and Im not impressed with their engineering. Their integrations are super fucking brittle, its like it was designed by toddlers. I would not depend on them for any kind of business critical functionality.