Skip to content
  • There are no suggestions because the search field is empty.

Protecting user credentials from being exposed

There are times when security oversights can cause user credentials (API keys, usernames and passwords) to be exposed and possibly accessed by unauthorised people.

For example, if someone is implementing an MYOB Acumatica site or developing a customisation, they might accidentally save credentials in code and store them in a public GitHub repository.

How MYOB will respond if credentials are exposed

If we discover that credentials have been exposed for your site, we will immediately:

  1. Disable the exposed user or API endpoint across all tenants for every instance of the site (i.e. live production, sandboxes, debug environments). This might impact the site's day-to-day operations.

  2. Notify the customer directly or through their partner to inform them of the incident and provide guidance on restoring their system. This includes, but is not limited to:

    • Creating a new user account for the affected person or API to replace the compromised account. The configuration of this new account (e.g., license type, roles, etc.) will depend on customer requirements.

    • Deleting the compromised account across all tenants.

    • Restoring API connections.

  3. Notify the MYOB legal team to assess whether the incident qualifies as a notifiable data breach under privacy law.

  4. Document the incident in our incident registry.

Preventing credentials from being exposed

There are simple steps you can take to help protect user credentials – see our knowledge base article for the details.