Shiba Inu Credential Leak Could Have Led to "Theft, Token Embezzlement, Disruption of Services"

Security firm PingSafe has allegedly discovered that the popular meme token's team had leaked its Amazon Web Services credentials in August, putting the entire project in jeopardy for two full days. The team, which remains anonymous, has also remained silent on the matter.

Shiba Inu Credential Leak Could Have Led to
Shutterstock cover by Wollertz

Key Takeaways

  • Security firm PingSafe found that Shiba Inu token's development team leaked its AWS credentials in August.
  • The leaked credentials were valid for two days; they have since been removed from the project's GitHub repo.
  • Though the issue has been resolved, PingSafe did not receive a response after contacting Shiba Inu's team.

Share this article

The team behind Shiba Inu token (SHIBA) reportedly leaked its AWS credentials for more than two days in August.

Shiba Inu Leaked AWS Credentials

Shiba Inu quietly leaked key credentials last month.

Security firm PingSafe published a report on September 8 detailing its findings. It said that on Aug. 22, it discovered that a commit in Shiba Inu’s public GitHub repository displayed credentials related to the project’s Amazon Web Services (AWS) account.

The leak included several pieces of data, including AWS_ACCESS_KEY and AWS_SECRET_KEY, two environment variables that allow scripts to access an AWS account. In this case, the affected code was part of a shell script used to run validator nodes for Shiba Inu’s Layer 2 network, Shibarium.

PingSafe said that this error “severely exposed the company’s AWS account” and could have led to security breaches such as theft of funds, embezzlement, and service disruptions.

PingSafe added that it attempted to contact Shiba Inu and various developers over email and social networks to inform them of the risk but did not receive a response. The security firm also tried to find a bug bounty program or responsible disclosure policy but found no means of reporting the issue.

The leak is no longer a risk, as the credentials became invalid after two days. The Shiba Inu team has also deleted the commit containing the leak following Pingsafe’s report, and more recent code commits do not contain the leaked data.

Shiba Inu has not been a major target for attacks. However, broader attacks have seen the coin stolen: SHIBA was one asset stolen in a $611 million attack on Poly Network one year ago, while an attack on Bitmart in December saw $32 million of the SHIBA token stolen.

Shiba Inu is currently the 12th largest cryptocurrency by market cap, boasting a capitalization of $7.5 billion.

Disclosure: At the time of writing, the author of this piece owned BTC, ETH, and other cryptocurrencies.

Share this article

Loading...