With the number of companies that store company-confidential data in HipChat, the real question is whether or not it was a targeted attack on specific organizations, or if it was a general breach of access on the generic user database.

Wondering the same. What if this was Github? What if private repos were somehow exposed? All these team apps could expose sensitive data if targeted/breached.

Do companies really store sensitive code IP on public cloud sites like github, which could be acquired at any time by a competitor?

Does your company use google apps for email? If not, can you understand why some companies do? Same thing IMO. It's a calculated risk that is OK for some but not for others.

If I was managing the IT dept for a government security contractor I wouldn't be using cloud email.

If I'm knocking up the next cloud service mashup, I'm fairly sure I'd be storing the code in a private github repo until there was a need or decision to change.

So yes, sensitive code is stored in public cloud sites. Sensitive emails are too.

You can set up LDAP for Github Enterprise:

https://help.github.com/enterprise/11.10.340/admin/articles/...

Think you replied to the wrong comment.

You don't have to rely on Github, you can use Github Enterprise which gives you a little bit more control and allows you to run it on your own servers.

That said, my understanding is that authentication even for Github Enterprise is done through Github itself. (Someone please correct me if I'm wrong)

Authentication for Github Enterprise is customisable. At my organisation we use LDAP, but it has built-in auth and a few others IIRC.

The enterprise product is stand-alone, it doesn't talk to the cloud version.

I'm sure they do. Most people don't care or think about security until things go wrong.

I've seen passwords and other sensitive config data committed to public repos in GitHub. I wouldn't even be slightly surprised by people keeping sensitive IP or trade secrets there, on the assumption that if it's a private repo, it must be safe.

To clarify for others who might not see this: Where do you think sensitive data - private keys, passwords, etc. - should be kept? For instance, when setting up infrastructure for a company, how would you desire that data be shared across users?

Once might have the same reservations about something like Heroku - or really any cloud provider - given that at some point, you are pushing code to a server that is owned by another company whose security you cannot audit.

If you use ansible, there is a great feature called ansible-vault that allows you to store all those sensitive bits right in the repo but encrypted and automatically readable by ansible when needed.

Darwin might have a few thoughts about the long-term economic uniqueness of such companies in a world of "fast followers".

Netflix runs most of their operations on AWS and Amazon prime is one of their largest competitors.

And they usually commit passwords, private keys, etc too.

(From my prior experience working for a publicly traded US company)

Blackduck should offer an inline git-commit code scrubbing proxy.