VMware source code stolen by hacker, published online

VMware just became the latest victim of hackers, with the firm acknowledging a breach that resulted in source code for their ESX virtualization products being stolen and posted online. The attack is reportedly the work of a hacker known as Hardcore Charlie, who claims to have around 300MB of source code which VMware says dates back to 2003 and 2004.

The virtualization software house first became aware of the breach on April 23, after the posting on Pastebin of a single file pertaining to their VMware ESX source code. The company has warned that future public postings of source code are possible but insists there is little risk to those using their virtualization suite.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," Iain Mulholland, director of VMware's Security Response Center said in a statement. "VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today."

"We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available," Mulholland continued.

Speculation currently suggests that the source of the leak is a Chinese import-export company, the China National Electronics Import-Export Corporation (CEIEC), who suffered at the hands of hackers in March. At the time, it was reported that a potential 1 terabyte of data was stolen, according to the Guardian.

Hardcore Charlie confirmed in IRC conversations with Kaspersky that the stolen data can be traced back to the breach of Sina.com server resulting in thousands of email accounts being compromised. He went on to say that he enlisted the help of another hacker, @YamaTough to crack the cryptographic hashes securing the Sina data. Access to CEIEC was later found in emails once decrypted.

Kaspersky also later confirmed "what appear to be internal VMware communications, pasted onto CEIEC letterhead and with official looking stamps," which Mulholland speculated "were manually added into the company's source code repository to provide context for developers."