Skip to content

Former Rabbit employee leaked API keys causing the data breach

  • by
  • 3 min read

Rabbit has finally found the source of the massive security breach in June 2024. A now-terminated Rabbit employee leaked sensitive API keys to a hacktivist group, which claimed access to the company’s internal source code. In response, Rabbit revoked and rotated the compromised API keys and moved additional secrets to AWS Secrets Manager.

While these actions are reassuring, they raise critical questions about Rabbit’s security practices and overall preparedness.

Following a third-party audit, Rabbit confirmed that all exposed secrets had been successfully revoked, ensuring no further breaches occurred from this incident.

To further fortify its defences, Rabbit enlisted the expertise of Obscurity Labs to conduct a penetration test. The key areas of focus included the security of Rabbit’s data transfer method and the potential risks associated with Playwright, a tool used for automated testing of web applications.

“Last month, an employee (who has since been terminated) leaked API keys to a self-proclaimed “hacktivist” group, which wrote an article claiming they had access to our internal source code and some API keys,” Rabbit said. “We immediately revoked and rotated those API keys and moved additional secrets into AWS Secrets Manager.”

However, this doesn’t absolve Rabbit of the shortcomings in its system. If an insider leaks the code, it questions the company’s internal security practices.

For instance, Rabbit said, “After a third-party audit of our code, we can confirm that all secrets ever stored in it have successfully been revoked. It’s important to note that this isolated incident was not caused by a breach of our security systems – those API keys were obtained and shared illegally. We are in communication with authorities for further investigation.”

The first step to finding the solution is to acknowledge the problem. Rabbit refuses to do that.

This shows that the company is not yet ready to acknowledge the breach, let alone take the blame for it. A breach is a breach. It doesn’t matter whose mistake it was or how it occurred.

While hiring a third-party cybersecurity company to do the penetration test is the right step, it should have been done before the breach, not after. This again shows that the company wasn’t concerned with the security aspects.

As per Obscurity Labs, “Another common security concern we hear is how Rabbit Inc. stores our session tokens. Rabbit Inc. isn’t directly storing them. Instead, they are using a dedicated secret storage vault designed for this purpose, the testing of which was out of scope for this penetration test.”

This statement did not go well with the jailbreaking community, as reported by 404Media. After the furore, Obscurity Labs posted an update explaining that Rabbit Inc. didn’t own the vault and, therefore, couldn’t give permission to perform a penetration test.

The incident prompts broader questions about accountability in AI technology companies. While Rabbit’s actions to rectify the breach are necessary, they also reflect a reactive rather than proactive approach to security.

Furthermore, as AI continues to integrate into various sectors, stringent security measures and accountability will become paramount.

In the News: Arbitrary file flaw in Keydatas plugin affects over 5,000 websites

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>