Improving Security for Open Source Airbyte Users

An Airbyte user reported that their unsecured instance was compromised, and their connector credentials were stolen. As transparency is a core value at Airbyte, the incident has been highlighted to the community. The company takes security seriously but avoids making too many assumptions on infrastructure due to being an open-source project. It strongly recommends that self-hosted instances not be exposed to the public internet. Data pipelines are particularly vulnerable as they store credentials. In March 2022, Airbyte changed its upgrade flow to no longer require exporting/importing credentials and scrubbed all secrets from output by default. The current version of Airbyte is 0.40. To improve security, the company will implement basic password authentication on the UI, enable external secret storage in Airbyte Core, and implement scanners to detect publicly exposed instances.