Reputation: 809
How does Stripe know my secret key is leaked?
I recently moved some of my repositories from AWS Code Commit to GitHub. I accidentally made one of the repositories public, instead of private. Within less than 10 mins of committing the code, I got an email from Stripe that my secret key is publicly accessible, and it included the exact file/code line which has the key.
How did this happen?
- Does GitHub detects existence of some sensitive info and informs the provider via some WebHook?
- Does Stripe keeps crawling new repositories for such leakages? It sounds practically impossible to detect so quickly.
I cannot get my head around what could have triggered this detection at Stripe's end. I was thrilling to see the action though. Of course I have rotated the secret key.
Upvotes: 1
Views: 915
Answers (1)
Reputation: 1630
GitHub has a Secret Scanning Partner Program that organizations can join. They provide a pattern to GitHub and if a string matching it is found GitHub will automatically alert the partner.
I don't believe GitHub publishes a list of partners, but I would presume Stripe is a member of that program.
Upvotes: 2
Related Questions
- Stripe: Validating Publishable and Secret API Keys
- Rails 5.1 secrets and Stripe using wrong key
- Do I need to worry about Stripe "payment_intent_client_secret"s leaking?
- Stripe API key missing Rails
- How to use Stripe's secret key and publishable key?
- Where are stripe secret keys stored and are they encrypted ? - wordpress / woocommerce
- Stripe secret key security?
- Undefined method 'secret_key' in Stripe API integration
- Is it safe to use a Stripe secret api key inside an Android app?
- What's the purpose of the secret key for stripe? Also, is this safe?