Stack Overflow had a security breach, and they have generously shared the details of how a hacker worked through multiple layers of security over 11 days. They gained access to source code, security keys, build processes, and some PII.

Reading their account (at https://stackoverflow.blog/2021/01/25/a-deeper-dive-into-our-may-2019-security-incident) really brought home an important lesson… small issues in overlapping layers can create a vulnerability that internal developer/systems teams would not be able to easily identify. Finding these holes is the kind of thing that is more effectively done by an outside expert.

In this case, the hacker served as an external auditor. The people at SO were able to identify and close vulnerabilities by following the hacker’s tracks.

Of course, this lesson was expensive for Stack Overflow in terms of resources and reputation.

We should all thank the good folks at SO publishing the details so that we can learn along with them. Keeping our software, sites, networks, etc. safe is a group effort.