GitHub Shares Details About The Stolen OAuth User Tokens Breach

Earlier this month, GitHub suffered a massive security breach affecting numerous users’ accounts. The breach allowed the hackers to download data from private GitHub repositories using stolen OAuth user tokens. GitHub has now shared details regarding the incident after addressing the matter.

GitHub OAuth User Token Breach

Around mid-April, numerous reports surfaced online regarding a data breach on GitHub repositories affecting numerous users. The attackers reportedly exploited GitHub OAuth user tokens to steal data.

Initially, the exact details of the incident remained unclear. However, the platform has recently shared insights regarding the matter.

As revealed through its post, the attackers exploited stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI. GitHub confirmed that the attackers didn’t steal the tokens from the platform as they never store them. Instead, they possibly made it by stealing those third-party tokens.

Once stolen, the attackers accessed the platform and started downloading data, an unauthorized activity that caught GitHub Security’s attention. Specifically, on April 12, 2022, the platform noticed the matter as the attackers exploited a compromised AWS API key to access GitHub npm production infrastructure.

Upon detecting the incident, GitHub informed the two firms about the breach and asked them to revoke the stolen OAuth user tokens.

Also, the platform notified users regarding the matter. And after thorough investigations, GitHub has deduced that the attack was aimed at a specific target list. Based on their analysis of the attack pattern described in its post, GitHub observed,

This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku.

The platform urged the respective users to follow the updates from Heroku and Travis CI. Besides, all users should review the user account security logs and organization audit logs for any abnormal activity.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients