Steven Frank, co-founder of Panic, a vendor of Mac and iOS apps, has admitted yesterday that a hacker stole some of his company’s source code.
Frank says this happened after he updated a version of the HandBrake Mac client, an app for converting multimedia files between various audio formats.
Frank apparently performed the update by downloading HandBrake from its site and manually installing it on his work computer. This update took place during the three days a hacker had compromised two download mirrors for the HandBrake website and swapped the official HandBrake macOS client with a version containing the Proton remote access trojan.
The Panic exec realized what happened after reading news articles about the HandBrake incident.
Hacker finds Git login and steals company source code
Frank and several Panic employees started an investigation, hoping for the best, but logs confirmed the attacker had gotten hold of Frank’s credentials for the Git system that hosted the company’s source code.
Panic is a famous Mac & iOS app maker that sells very well-known products such as:
- Code source code editor – Mac, iOS
- Transmit FTP client – Mac, iOS
- Prompt SSH client – iOS
- Firewatch game – Mac, PC, Xbox, PS4
Frank did not reveal what source code was stolen and for what apps, but he said he coordinated with Apple to revoke the company’s older Developer ID and issue a new one.
The company also changed all exposed passwords and API secret keys used throughout its infrastructure. User data was not stolen from the compromised computer. Either way, the attacker wouldn’t have had access to the data, as it was encrypted in such a way that not even Panic employees could access it.
Hacker demands ransom
Some time after this incident, Frank says the hacker emailed him a ransom note, asking for Bitcoin or he’ll release the stolen source code and “suffocate” his company.
After “a company all-hands meeting,” Frank says they decided not to pay the ransom demand. They based their decision on the following conclusions:
- There are already cracked Panic apps available online, so leaking the source code won’t do any extensive damage to their regular financial expectations
- They presumed no competitor would dare reuse their code in their apps without getting caught and shamed
- They got Apple’s support in tracking down and dealing with malware-infected versions of their apps.
“With every day that passes, that stolen source code is more and more out-of-date,” Frank said. “That source is already missing a ton of fixes and improvements we committed over the last week alone, and six months from now it will be missing major critical new features. In short: it’s old and getting older.”
Nonetheless, Frank expects to see malware-laced versions of his apps spread on the Internet and advised Mac and iOS users to install Panic apps only from the official Apple app stores.