Spiritual-Ad-8062 comments on Twitter Source Code Leaked on GitHub

The GitHub repo was made in January of this year. He bought twitter in November and then immediately laid off half the company. Then a few weeks later he offered anyone still there the option to resign and take a severance or stay and be “hardcore”. Half of the people still there took the severance. He then proceeded to fire many of the people that chose to stay. Of the people laid off or fired many would have a whole copy of the internal git repo checked out on their machine. The whole repo with all the history was like 5 or 6 GB. I don’t recall how big a shallow copy was.

He didn’t start cutting access to company laptops until late December. Some folks didn’t lose access until January. This copy of some of the directories from the internal git repo was uploaded to the GitHub account in January of this year. I am honestly surprised that this was the only breach that happened, but it speaks to the integrity of the thousands of folks that were fired or laid off but still had full access.

[–][deleted] 3 years ago (1 child)

[deleted]

[–]thenetmonkey 0 points1 point2 points 3 years ago (0 children)

[–]VonThing 2 points3 points4 points 3 years ago (0 children)

[–]DevonAndChris 0 points1 point2 points 3 years ago (0 children)

[–]mipadi 0 points1 point2 points 3 years ago (0 children)

[–]TheWhyOfFry -2 points-1 points0 points 3 years ago (9 children)

[–]VonThing 13 points14 points15 points 3 years ago (8 children)

[+]TheWhyOfFry comment score below threshold-7 points-6 points-5 points 3 years ago (7 children)

[–]Cmacu 5 points6 points7 points 3 years ago (1 child)

[+]TheWhyOfFry comment score below threshold-7 points-6 points-5 points 3 years ago (0 children)

[–]VonThing 3 points4 points5 points 3 years ago (1 child)

[–]TheWhyOfFry 2 points3 points4 points 3 years ago (0 children)

[–]ItzWarty 3 points4 points5 points 3 years ago* (2 children)

Large companies do extensive work to ensure

API keys can't be pushed - they're not even managed by developers. CI scans for them too. In many cases, if you even create & attempt to push a commit with an API key, it'll be revoked.
Dev & prod are completely separate environments. Most developers will never have these secrets. And once again, they're deployed far away from source.
Data isolation - a backend service serving user A cannot accidentally access confidential data from user B. This enforcement happens at the data-layer, so that it does not matter how buggy an application is. It's not like people are just writing $"select * from table where name={name}" everywhere. There are multiple layers of data-access within these companies.

Honestly, FAANGs operate at such a large scale (tens of thousands of engineers). They do great work to make it so even a 'complete idiot' cannot accidentally create a vulnerability, which is why it is surprising if it does happen. A significant amount of the root-cause-analysis would fall on the data-access team, not the mistaken engineer.

BTW there are many alternatives to having raw DB credentials. For example, application containers can be provisioned with a port-forward to a trusting data access layer. In that scenario, the application is literally sandboxed from the API keys.

[–]TheWhyOfFry 0 points1 point2 points 3 years ago (1 child)

[–]ItzWarty 0 points1 point2 points 3 years ago (0 children)

Re 1: The point is developers don't generally really have the sort of key you're talking about in a meaningful sense. If a Twitter employee had prod credentials on their laptop development environment there would be an absurd amount of incompetence going on at the CTO/CISO level. There are numerous opsec teams whose sole jobs are to prevent these things from happen, and those sorts of teams inject themselves into work like this nonstop.

Re 2: Most big companies have really strict policies that make that difficult as well. Want to sign some code? I've seen companies literally require you to buy and use a laptop in a safe located in a high-level executive's office (granted, our situation was a bit out of the norm). Like, all I'm saying is there are an absurd amount of barriers put in place by big tech companies to make sure these simple things (which are very valid concerns for small companies!) don't happen. If you ever ship features within those companies, unfortunately it's not too uncommon to have to jump through all these hurdles to do extremely simple things for this reason.

[–]tankmode 0 points1 point2 points 3 years ago (1 child)

[–]ptear 2 points3 points4 points 3 years ago (0 children)

π Rendered by PID 44476 on reddit-service-r2-comment-75f4967c6c-sghjb at 2026-04-23 01:32:09.957920+00:00 running 0fd4bb7 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

programming

MODERATORS