Cyber Incident Victim: Canonical Ltd.
Date:
Jul 2019
Location:
United Kingdom
Summary
A Canonical GitHub account was compromised, leading to unauthorized creation of empty repositories and other activities. The company confirmed no evidence of source code or personal data exposure, noting its Ubuntu build infrastructure remained isolated and unaffected. The breached account was promptly removed, with an ongoing investigation and planned updates post-audit. Historical security incidents involving the organization included past forum breaches and a malicious package in the software store, though this event appeared less severe as no code alterations occurred. The intrusion followed internet scans targeting Git configuration files, potentially seeking credential exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 6, 2019, Canonical Ltd. experienced a security breach involving a compromised GitHub account belonging to the organization. The Ubuntu security team confirmed unauthorized actors used stolen credentials to create 11 new repositories and post issues within Canonical’s official GitHub organization. The repositories remained empty, with no evidence of malicious code injections or alterations to existing projects. Canonical promptly revoked access to the breached account, removing it from their GitHub organization, and initiated an investigation to assess the breach’s scope. Preliminary findings indicated no compromise of Ubuntu’s source code or personally identifiable information (PII), as the Launchpad infrastructure—used for building and maintaining Ubuntu distributions—remained isolated from GitHub and showed no signs of intrusion. The company committed to publishing further updates post-investigation, including audit results and remediation measures. Two days prior to the incident, cybersecurity firm Bad Packets had observed internet-wide scans targeting Git configuration files, which often store credentials for platforms like GitHub, suggesting a potential vector for the attack.
This incident followed a history of security challenges for Canonical. The Ubuntu forums suffered breaches in July 2013 (1.82 million user accounts compromised), July 2016 (2 million users affected), and December 2016 (defacement only). In May 2018, a malicious package containing a cryptocurrency miner was discovered on the Ubuntu Store. Unlike more severe open-source breaches—such as the February 2016 Linux Mint hack, where attackers inserted a backdoor into the OS, or Gentoo Linux’s June 2018 GitHub compromise leading to poisoned downloads—Canonical’s 2019 GitHub incident resulted in no detectable code tampering or data exfiltration. The attacker’s decision to create conspicuous empty repositories, rather than surreptitiously modifying code, limited operational impact but highlighted credential vulnerabilities. Canonical’s containment response focused on access revocation and infrastructure audits, with no downstream supply-chain risks identified.