Disney, Microsoft, Nintendo and 50 more hit by massive source code leak [updated]

mario kart 8 deluxe
(Image credit: Nintendo)

UPDATED Tuesday, July 28 with comment from Tillie Kottmann.

More than 50 high-profile companies have had their software source code made freely available online, partly as the result of incorrectly configured infrastructure. 

Software source code belonging to household names such as Adobe, Microsoft, Lenovo, Qualcomm, AMD, Motorola, GE Appliances, Nintendo, Disney, Daimler, Roblox and many other companies was collected and placed in an online repository.

This may be related to a huge dump of Nintendo source code that started appearing online June 24. Tom's Guide could not confirm a link because the Nintendo data seems to have been removed from the GitLab repository of company code at the heart of this story.

However, the hacker who posted some of these files has explained the provenance of the Nintendo source code. We've added a bit at the end of our story.

Easily accessed 

According to a report by Bleeping Computer, the leaked code was collected by Swiss software developer Tillie Kottmann and put under the names “exco confidential” and “confidential & proprietary” in a GitLab repository that can be accessed by anyone.

Kottmann amassed a large bulk of source code by scanning third-party sources and misconfigured DevOps applications. The leaks affect a broad variety of companies from tech giants to retailers.

Pseudonymous security researcher Bank Security estimates that more than 50 firms had their source code made available in the repository. 

“The source code related to over 50 companies has been leaked and posted on a public repository,” tweeted Bank Security. “In some cases there are hard-coded credentials.”

Bank Security posted a list of the affected companies on Pastebin. It is safe to view the list.

Many sectors impacted

Bleeping Computer pointed out that within Kottmann’s repository, source code from organizations in industries such as fintech, banks, gaming, and identity and access management software was also published online. 

Kottmann explained to Bleeping Computer that they (Kottmann identifies as non-binary) had come across hard-coded credentials in the repositories but took steps to stop them from being abused: “I try to do my best to prevent any major things resulting directly from my releases.”

While Kottmann doesn’t report the leaks to the affected companies all the time, they said they will respond to takedown notices and ensure this information isn’t used to cause further damage.

It’s likely that Daimler AG and Lenovo issued such requests, as the former doesn’t appear in the repository anymore and the latter simply has a folder with nothing in it. Some companies probably don’t even know that their source code has ended up online in a public respiratory. 

Tom's Guide is not providing a link to Kottmann's GitLab repository, as doing so would be questionable both ethically and legally, but it can be found by scrolling through Kottmann's recent tweets.

Dangerous consequences

Jake Moore, a security specialist at ESET, told Tom’s Guide: “Losing control of the source code on the internet is like handing the blueprints of a bank to robbers. 

“This list will be viewed by cyber criminals far and wide looking for vulnerabilities as well as confidential information in a scarily short space of time.”

He recommends: “Those websites affected will immediately need to put further protection measures in place to help protect those sites from the inevitable increase in nefarious traffic to avoid further data compromises. However, it appears not all of the sites will have been made aware yet which can rub salt into the wound should the end users find out before the companies themselves.” 

Update: Kottmann clarifies the Nintendo situation

Kottmann reached out to Tom's Guide Tuesday (July 28) concerning the Nintendo source code and why it didn't appear in the GitLab repository.

"The Nintendo Gigaleak does not originate from me," Kottmann wrote. "We simply reshare some popular leaks on our Telegram channel sometimes, and repack them in more easily accessible formats for most people."

In fact, the Nintendo code was never on GitLab, they added.

"Nintendo is notorious for quick takedowns," Kottmann wrote, "so I usually host that elsewhere or directly provide zips/torrents on our Telegram channel."

  • More: Stay anonymous and safer online with the best VPN

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!