GitHub repository exposed Binance’s internal passwords and code

Binance’s source code has been openly accessible on a GitHub repository for months, with the exchange asserting that the leak posed only a ‘negligible risk.’

Journalists at 404 Media discovered what they say is a “highly sensitive cache of code, infrastructure diagrams, internal passwords,” and other technical information related to Binance, openly available on a GitHub repository for several months.

According to the report, the repository included a folder labeled ‘binance-infra-2.0’ with a diagram illustrating the interconnections among various components of Binance’s dependencies. Additionally, it contained numerous scripts and code, some of which appeared related to Binance’s implementation of passwords and multifactor authentication, with comments in both English and Chinese, as noted by 404 Media.

While a spokesperson for Binance confirmed the leak, noting that the information “posed a negligible risk to the security of our users, their assets or our platform,” the description of the takedown request showed a slightly different picture, saying that the code “poses a significant risk to Binancec. and causes severe financial harm to Binance and user’s confusion/harm.”

The spokesperson also added that the code “does not resemble what we currently have in production.”

As per the report, the leak contained passwords for systems marked as “prod,” indicating production systems rather than demo or development environments. Additionally, at least two of these passwords corresponded to Amazon Web Services’ servers used by Binance, the report says. However, it is unclear if a third party distributed the code maliciously or if a Binance employee accidentally uploaded it to GitHub.