That’s all we know; Zapier hasn’t given much additional information beyond the context that the customer data breach was limited in scope, only affecting certain users. As a developer, I can tell you – we use real data whenever we can, particularly when trying to hunt down a bug that is only affecting certain users. This is data that the user has already trusted the platform with - I would argue that debugging with user data isn’t the point of failure here per se (though there are definitely some discussions to be had about procedure).
The issue is that (a) the user data was committed to repositories in the first place, and (b) a 3rd party savvy enough to stroll through Zapier’s repos was able to gain access.
The situation is a good example for two of the reasons I prefer self hosting open source alternatives when possible (I have more than 2 reasons, for the record):
A SaaS platform can’t leak your data if they never had it in the first place. Can your server be hacked? Of course! But self hosting restores some degree of data sovereignty and thoroughly puts the blame on you for any preventable leaks or hacks that occur.
While any repository could hypothetically be exposed the same way, by self hosting I have explicit control over when and how I upgrade to the next version of the software.
When utilizing a popular open source tool like N8N, I have the reassurance that there is accountability within the maintainer community for what’s being committed to the product’s code.
This means that when I do install that update, I’m pretty sure there have been plenty of eyes on it beforehand. If anything seems fishy, I can take a look at the changes myself before applying them.
Anyone aware of the security issues that have popped up in the NPM ecosystem over the last couple of years will know that open source is not a silver bullet, but at least there’s a lot more transparency around security topics, rather than just blind trust.
I build closed source SaaS products - the irony isn’t lost on me. That said, I am thankful for the generosity and goodwill of the devs and product experts working on open source tools like N8N, and the massive impact they’ve had in the form of the software innovation we’ve seen over the last couple of decades.
If you want to read more about the Zapier breach, check out this write-up from the Verge.