Asus is having a rough week. Shortly after Kaspersky Labs revealed Operation ShadowHammer, which distributed a compromised version of the Asus Live Update Utility to as many as 1 million people, a security researcher called "SchizoDuckie" told TechCrunch that Asus employees had shared their corporate email passwords on GitHub.
SchizoDuckie, which is simultaneously the best and worst pseudonym we've seen, reportedly discovered at least three instances of Asus engineers sharing the passwords to their company email accounts. One was found in a GitHub repository used to share code, one on an engineer's GitHub page and one inside another engineer's code.
TechCrunch said that SchizoDuckie "shared several screenshots to validate his findings." The researcher is said to have gained access to an email account "used by internal developers and engineers to share nightly builds of apps, drivers and tools" by using the credentials he found in the GitHub repository.
It would have been easy to use the credentials and the email accounts to which they provided access for phishing attacks. People tend to trust messages from people they know, which could make them much more likely to offer up sensitive information or trust a malicious file that can then be used to attack Asus' networks.
Asus told TechCrunch that it was "actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure there are no data leaks," but was "unable to verify the validity" of the claims. Yet, the repositories were deleted just one day after TechCrunch reached out to Asus.
The company attempted to downplay Operation ShadowHammer too, so it's not surprising for it to deny SchizoDuckie's findings. (Especially when it's easier to discount a pseudonymous researcher than an established security company.) But even if the concerns are overstated, these lackadaisical responses seem ill-advised.