Zapier says someone broke into its code repositories and may have customer data
9 comments
·March 1, 2025pm90
This is the most mealy mouthed disclosure ever. Shame on them.
How can an employees 2FA misconfiguration lead to someone else accessing these repos? 2FA setups are supposed to prevent this sort of thing. If I had to guess it was someone on the “devops/sre/infra” team that usually has god mode access that were setting up some integration and disabled 2FA for testing or something for a test account … but it would have had to be disabled for a while for the attacker to get access.
What kind of customer data were they storing in their repository? Were they storing raw webhook data/API responses in github gists or something (wouldn’t put it past them).
As a sidenote, Ive worked with folks from zapier and Im not impressed with their engineering. Their integrations are super fucking brittle, its like it was designed by toddlers. I would not depend on them for any kind of business critical functionality.
toomuchtodo
Disclosure: ex-Zapier employee, shareholder, biased disclosed, I have zero information or access today. Thoughts and opinions always my own.
I’m not sure who you worked with, but I worked for several years with both engineers and the CTO, and I strongly disagree with your assertion regarding their engineering prowess. It is one of the most engineering focused companies I have ever worked at in ~25 years, and at least while I was there, the bar was high (and continued to rise during my tenure).
Security is hard, perfect security is impossible. You prioritize workload to the best of your ability, and hope you outrun adversaries. Sometimes, you will lose, and you have a plan for that. People are always the weakest link.
Integrations are brittle because integrating with thousands of APIs is hard, and APIs are constantly changing underneath the system. In my opinion, the core was robustly architected and implemented (although it has changed over time).
(head of security at a fintech, 10+ years security in financial services)
stenius
I know lots of people that have their 2 factor auth setups on the same computer they are using to login. If you can compromise that computer, there's no additional "2fa" needed.
All it takes is some engineer that needs admin access for their job installing something.
Kye
I never used it because I could never figure out the pricing. Fortuitous.
null
1123581321
It’s been either free or $20/mo for a long time. You use the free version until you hit a paywall.
They’re a cool company, all or mostly self-funded and from the Midwest (St Louis, IIRC.) I hope this isn’t too damaging.
mvdtnz
Why is there customer data in code repositories?
> The customer data had been “inadvertently copied to the repositories for debugging purposes,” according to an email obtained by The Verge.
What on earth? How is this possible?
> we audited the contents of the repositories, and we found that in isolated instances, certain customer information had been inadvertently copied to the repositories for debugging purposes.
"instances". Plural.
null
Zapier’s breach shows that even big SaaS companies can accidentally expose customer data in code repos. If they got hit due to a 2FA misconfiguration, how many other companies are at similar risk without knowing?