Hackers have listed 860GB of internal source code belonging to the American retail corporation Target for sale on an underground forum.
The attackers allege to have exfiltrated the trove from the Minneapolis, Minnesota-based retailer’s self-hosted Gitea development server.
Gitea is a Git-based software development platform that provides collaboration tools, code review, issue tracking, and integrates with continuous integration systems.
Hackers leak Target’s source code
The threat actor have uploaded source code samples as proof, suggesting that the data breach claim was legitimate. The leaked repositories contain Target’s source code, configuration files, and documentation. They also contained files referencing Target’s internal systems, such as wallet services, identity management systems, networking tools, and gift card systems.
The names of Target development servers, software development leads and engineers were also referenced in the leaked commit metadata and documentation.
Some files also referenced Target’s internal URLs, such as confluence.target.com, and API endpoints. The included SALE.MD file also listed over 57,000 lines data, which the threat actor is selling alongside the source code.
If confirmed, the leaked source code and assets could severely expose the company’s infrastructure, risking subsequent cyber attacks. Attackers could analyze the source code and configuration files to identify vulnerabilities in Target’s infrastructure, potentially leading to personal data leaks.
“Attackers now have access to something that puts the whole organization at risk, all the documentation, code can be used to find more vulnerabilities in the system,” warned Mayank Kumar, Founding AI Engineer, DeepTempo. “Models can be trained to exploit flaws in security and business logic and the next attack can be even more severe.”
Meanwhile, it remains unclear whether the attacker exploited a system misconfiguration on the development server, compromised a developer account, or the incident was an insider threat. So far, the identity of the attacker has not yet been established.
While Target has yet to confirm the data breach, it responded by making its repositories private on the self-hosted platform. Target’s Git server also redirects users to log in using a corporate network or VPN, suggesting that the threat actor no longer had access to Target’s software development platform.
The removal of Target’s self-hosted repositories and the sensitive information included in the leaked files, also suggest the source code was not from the company’s public projects. Additionally, Target hosts its public projects on GitHub, while the leaked metadata referenced the self-hosted development platform at git.target.com.
“Unlike breaches that focus on customer data, a compromise of development infrastructure exposes the blueprints of how a company’s systems operate,” stated Steve Cobb, Chief Information Security Officer at SecurityScorecard. “Once engineering assets surface publicly, even briefly, the spread becomes extremely difficult to contain and can create opportunities for deeper compromise.”
Target has been exploited in the past
The recent source code leak is far from the first cyber attack to hit the retail giant. In 2013, Target experienced a third-party data breach via its vendor, which compromised the personal and payment information of 40 million people and the accounts of 70 million others.
Target agreed to pay $18.5 million to settle a multi-state investigation, while the estimated total cost of the data breach was $202 million. The retail company also suffered reputational damage and experienced reduced sales as a result of the cyber attack.
In 2011, Target and other companies were affected by a third-party data breach affecting an email marketing platform. Besides the two cybersecurity incidents, Target has improved its defenses and has not suffered a cyber attack in over a decade.
Meanwhile, retail companies have become attractive targets due to the vast amounts of personal information they collect and store from their customers in the course of business.
