Cyber Incident Victim: Comodo Group, Inc.

On July 26, 2019, a hacker gained unauthorized access to internal systems of Comodo, a security company and former SSL certificate issuer, by exploiting credentials exposed in a public GitHub repository owned by one of its software developers. The credentials consisted of an email address and password inadvertently made public, which provided access to the company’s Microsoft-hosted cloud services. The compromised account lacked two-factor authentication, facilitating the breach. Netherlands-based security researcher Jelle Ursem identified the exposed credentials and contacted Comodo Vice President Rajaswi Das via WhatsApp to report the issue. Comodo revoked the password the following day. Ursem’s investigation revealed that the account had already been compromised by another actor prior to his discovery, evidenced by spam emails sent from the account impersonating the French finance ministry to offer fraudulent tax refunds.

The breached account enabled access to a range of internal Comodo documents stored across OneDrive and SharePoint, including sales spreadsheets, customer agreements, vulnerability reports, and organizational data such as employee biographies, contact details, photos, and calendars. Filenames indicated contracts with entities like hospitals and U.S. state governments, though Ursem confirmed no customer certificate private keys were exposed. Comodo characterized the account as automated and used for marketing and transactional purposes, asserting that the accessed data remained unaltered. The company secured the account within hours of Ursem’s notification. This incident exemplified recurring risks associated with developers unintentionally publishing credentials on public code repositories, a vulnerability previously exploited in breaches affecting companies like Asus and Uber.