Dear team,
InfoSec has discovered that the following service accounts are exposed in traveloka.com Github repositories:
The service account can be used to access sensitive resources in our GCP such as PubSub, BigTable, etc. This issue has been categorised to have High security risk. Hence, immediate actions (please see “What you need to do” section) from affected team are required. We have generated a new key and store it in our parameter store. And we need the help from service owners to update their services.
The service owner of services listed in this sheet and the users of tracking service v1.
With the guidance from InfoSec, the deadline for this action is 28th February 2022. We will revoke the old key on 1st March 2022 7th March 2022.
If you failed to rotate before the deadline, your service will encounter 403 errors when trying to publish tracking data which could lead to data loss.
If you have further questions and support, please contact @data-cde in #cde-tracking-support channel.
The list in the sheet is not exhaustive. InfoSec has put their best effort to scan our Github with different kind of patterns. So, If your services are using the old key and not in the list, please rotate them as well. Thank you.
Best regards,
Core Data Engineering