What's more alarming about this is that there are still some others who have not reverted their commits.
Just to clarify for anyone reading, a git revert will not solve the problem: you'll still have the .env file visible in your public git history. If you've accidentally committed a secret, you need to remove that commit completely.
If you catch the problem immediately, you can do a git reset HEAD^ followed by git push -f. This deletes the most recent commit and overwrites the remote Git history. If you realize too late what you've done, you'll need a slightly more complicated method (see this useful blog post for pointers).
Of course, on the Internet this is all pretty optimistic; someone could have scraped your secrets while they were publicly visible, even if only for a handful of seconds. The only way to really get your security back is to go change all your secret keys and passwords.
Yup! That's true. If at any time you feel that you have been compromised, never hesitate to reset those keys and passwords. In fact, it should be the first thing you should do before messing up the commit history. The less time the API key is valid, the better it will be for everyone (except potential hijackers).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Just to clarify for anyone reading, a
git revert
will not solve the problem: you'll still have the.env
file visible in your public git history. If you've accidentally committed a secret, you need to remove that commit completely.If you catch the problem immediately, you can do a
git reset HEAD^
followed bygit push -f
. This deletes the most recent commit and overwrites the remote Git history. If you realize too late what you've done, you'll need a slightly more complicated method (see this useful blog post for pointers).Of course, on the Internet this is all pretty optimistic; someone could have scraped your secrets while they were publicly visible, even if only for a handful of seconds. The only way to really get your security back is to go change all your secret keys and passwords.
Not to mention that
git push -f
opens the door to all kinds of accidents.Yup! That's true. If at any time you feel that you have been compromised, never hesitate to reset those keys and passwords. In fact, it should be the first thing you should do before messing up the commit history. The less time the API key is valid, the better it will be for everyone (except potential hijackers).