Cisco is grappling with the fallout from a breach in its public-facing DevHub environment, which was compromised by a hacker known as IntelBroker. The attacker made their move public on October 14, boasting that they had acquired sensitive information from Cisco and other major companies.

Cisco confirmed the breach, noting that some files not intended for public access were accessed but maintained that no internal systems or personally identifiable information (PII) were compromised.

The hacker allegedly stole various information, including source code, hardcoded credentials, API tokens, and encryption keys. This data is now being offered for sale on dark web forums. In response, Cisco quickly disabled public access to DevHub and launched an investigation with law enforcement support.

“As of now, we have not observed any confidential information such as sensitive PII or financial data to be included, but continue to investigate to confirm,” Cisco said in a statement.

While no immediate risks to customers have been confirmed, the stolen data, especially credentials and tokens, could still be weaponized.

Though seemingly limited in scope, the breach is a wake-up call about the vulnerabilities of public-facing environments. Cisco’s DevHub, which provides access to scripts and code for customers, was meant to be secure, but hackers exploited weaknesses to extract sensitive files.

Public-facing environments are often seen to be less critical as opposed to internal systems, but security experts argue they can be just as dangerous. Jason Soroko, a senior fellow at Sectigo, stressed the risks of these kinds of intrusions, which can expose sensitive information and serve as “stepping stones to deeper intrusions”. Even if they do not contain customer data, they can reveal internal workings that attackers will leverage to hook other vulnerabilities.

Eric Schwake, a cybersecurity director at Salt Security, said companies can avoid instances of this breach by using a multilayered approach involving strict access controls, secure coding practices, thorough security testing, posture governance standards, and conducting regular security assessments.

Cisco is now engaging with law enforcement to help investigate the incident, as IntelBroker is reportedly collaborating with other hackers. The hacker’s bragging on dark web forums has placed Cisco and its customers under increased scrutiny. Law enforcement is tracking the sale of the stolen files, though no arrests have been made yet.

IntelBroker has claimed responsibility for attacks on several other large companies, including Microsoft, Verizon, and AT&T. Such instances underline the urgency for corporations to reevaluate the safety of all their public-facing platforms. While Cisco has taken quick action by disabling DevHub, experts agree that the cybersecurity industry needs to pay more attention to these environments.

For now, Cisco remains confident that its core systems and customer data are secure, but as investigations continue, the company will have to address the vulnerabilities exposed by this incident.