Why is it so important to keep your credentials safe?

If a malicious actor got access to my access token and my device ID what are some of the things they could do? I’ve heard bad stories of people putting their aws keys on github and it ending badly.

  1. Unclaim all your device from your account and transfer to another account
  2. Access to all your firmware written in the Web IDE
  3. Retrieve sensitive webhook information that may contain credentials for other services
  4. Change the firmware of your device and flash it, resulting on your system malfunctioning (eg. turn on the heater to 100C)

Would you give a stranger the keys to your house? Or your credit card with pin code?

A question that follows is what should one do if you suspect that your access token has been compromised?

As one can reset the Access Token from the Web IDE, I assume that changing this quickly would be wise.

Should one bring in Particle support to assist in anyway by investigating, locking the account, etc?

Would like to dig in a little deeper into what @kennethlimcp said:

  1. Access to all your firmware written in the Web IDE

Conclusion: Keep your Access Token private!

You wouldn’t have to request a transfer, since you could just unclaimed them using the accesstoken from the corresponding account. After that, add them to your own.

@Moors7, got it.

Hopefully this sort of “fraud” can be stopped with Particle help.

Revoking your accesstoken should suffice. Though you’d then have to reclaim any unclaimed devices. If you have physical access, that’s possible regardless. Particle interaction shouldn’t be necessary, provided you still have access to your account.
That said, if you treat your accesstoken like you password/pincode, you shouldn’t have to worry too much. If you go about and publish them openly, then you can expect troubles.

Thanks for all your great answers.