The Novo Nordisk Breach: Why Digital Keys Need Better Locks
A leaked password exposed pharmaceutical giant Novo Nordisk's software systems. The real problem wasn't the tool they used, but how they managed digital identities.
Source
GetCyberRight Intelligence
Original headline: Novo Nordisk Breach: Identity Over Tools
Plain-English summary by GetCyberRight. Read the full report at the source above.
What Happened
Pharmaceutical giant Novo Nordisk recently suffered a security breach when a GitHub token (essentially a digital master key) was leaked, exposing their software development systems. This wasn't a story about hackers breaking through firewalls. It was about a credential falling into the wrong hands, and that credential having too much power.
The Details
Think of a GitHub token like a master key to your house. Novo Nordisk had one of these digital keys leak, possibly through accidental exposure in code or a compromised developer account. Once that key was out there, whoever found it could access sensitive systems.
Here's where most organizations get it wrong. After a breach like this, the instinct is to buy better safes for storing keys. But the real question is: why did that one key open so many doors? And why wasn't anyone watching who was using it?
Secrets management tools (the digital safes) are important. But they're not enough. The deeper issue is treating these credentials as things to protect instead of identities to control. Every token, password, or API key represents someone or something accessing your systems. If you're not constantly asking "who is this, and should they still have access," you're vulnerable no matter how fancy your vault is.
Who Is Affected
Professionals working in any company that builds software or uses cloud services should pay close attention. This includes everyone from tech companies to healthcare providers, retailers, and financial institutions. If your workplace uses GitHub, AWS, Azure, or similar platforms, this pattern applies to you.
Parents should also care. The companies handling your family's health data, financial information, and personal details use these same systems. When a pharmaceutical company's development pipeline is exposed, it raises questions about how they protect patient information and research data.
What You Should Do Right Now
Ask your IT team at work if they use identity-based access controls for developer credentials. If you're in a position to influence security decisions, push for time-limited tokens instead of permanent ones.
Stay one step ahead of scammers
Weekly cybersecurity briefings for families. No spam, just the threats that matter and what to do about them.
Review your own accounts for old API tokens or app passwords. Go to GitHub, Google, Microsoft, and other services you use. Look for "connected apps" or "access tokens" in settings. Delete anything you don't recognize or actively use.
Enable alerts for new device logins on critical accounts. This applies the same principle: watching who's using credentials, not just storing them safely.
If you manage a team, implement the principle of least privilege. Give people and systems only the access they need, nothing more. Review these permissions quarterly.
Ask vendors who handle your family's data about their security practices. Medical providers, schools, and financial institutions should be able to explain how they manage access to sensitive systems.
The Bigger Picture
This breach reveals a fundamental shift in how we need to think about cybersecurity. The old model was about building walls. The new model is about knowing who's inside those walls at all times. As more of our lives move to cloud services and software systems, credential management becomes identity management. Companies that treat security as a people and process problem, not just a technology problem, will fare better.
How GetCyberRight Can Help
Our Cyber Threat Radar tool tracks exactly these kinds of enterprise breach patterns and software supply chain risks. It helps families understand when major security incidents might affect the services they use daily. Staying informed about these trends isn't just for IT professionals anymore. It's for anyone whose data lives in the cloud, which means everyone.
Curated from trusted cybersecurity sources by GetCyberRight
Source: GetCyberRight IntelligenceStay ahead of cyber threats
Get our free weekly digest. Real threats, plain language, what to do about them. No spam, ever.
More articles
The Novo Nordisk Breach Shows Why Access Permissions Matter More Than Passwords
A leaked developer token gave attackers full access to Novo Nordisk's systems. The real problem wasn't the leak, it was that one credential had too much power.
4 min read
Why Encryption Alone Won't Protect You From Surveillance
A new investigation reveals how governments track people even when they use encrypted apps. The problem isn't the encryption, it's the phone network itself.
3 min read
Why Waiting Over a Year to Tell You About a Data Breach Is the Real Danger
UK healthcare provider HCRG took over a year to notify patients of a ransomware attack. Here's why the delay is worse than the breach itself.
4 min read
FIFA World Cup Stream Almost Hijacked Due to Simple Security Mistake
A misconfigured access control setting nearly allowed hackers to replace the World Cup live stream with anything they wanted. Here's what families need to know.
3 min read