Long story short, I accidentally made one of my private GitHub projects public without realising I had put my SMTP credentials in the config files somewhere in the repository.
Several days ago I noticed receiving emails from addresses that weren't known to me and in French, so at first I dismissed them as possible scams/mistakes. But later I received another email again in French, around the same topic which was delivery from a French company.
It could not be happening, I was always so careful with my credentials. I even considered contacting the support of my email provider and letting them know that their servers have been hacked and my email is being abused.
It wasn't my email provider that got hacked, it was my SMTP credentials that leaked from my now public Github page. Rookie mistake, really.
What did I do?
Here's my actions immediately after I realised my credentials were compromised.
- The first thing I did was to invalidate my credentials, and changing my password to prevent further abuse of my email service
- I contacted the emails I got message from, letting them know that the email was abused by scammers, I included English and French, just to be on the safe side
- I made sure my repository is private, and there are no other credentials in that repository that could have been abused
I learned a few things from this incident, some of which were actually relearning things that I already knew.
- Never store credentials in code, or config (if only I followed this single rule, this would have never happend)
- When making your code open-source, you could use a separate private repository for configs
- Even better, if you open source only the code that is supposed to be reused, otherwise what's the point?
- Always check my repos for accidental leakages, there are several SaaS companies that provide this functionality