Picture Credit: TechCrunch
Documentation startup Mintlify says dozens of shoppers had GitHub tokens uncovered in an information breach in the beginning of the month and publicly disclosed final week.
Mintlify helps builders create documentation for his or her software program and supply code by requesting entry and tapping instantly into the client’s GitHub supply code repositories. Mintlify counts fintech, database and AI startups as clients.
In a weblog put up Monday, Mintlify blamed its March 1 incident on a vulnerability in its personal methods, however stated 91 of its clients had their GitHub tokens compromised because of this.
These non-public tokens permit GitHub customers to share their account entry with third events apps, together with firms like Mintlify. If these tokens are stolen, an attacker might get hold of the identical stage of entry to an individual’s supply code because the token permits.
“The customers have been notified, and we’re working with GitHub to determine whether or not the tokens had been used to entry non-public repositories,” Mintlify co-founder Han Wang wrote in a weblog put up.
Information of the incident turned public final week when some customers on Reddit and Hacker Information commented after getting an electronic mail from Mintlify on Friday concerning the incident, days after the corporate’s weblog put up initially advised clients that “no additional motion is required in your half.”
In a put up discussing the breach on Hacker Information, Wang stated a vulnerability in its methods was leaking the corporate’s inside admin credentials to clients. These credentials might then be used to entry the corporate’s inside endpoints to entry different unspecified delicate person info, Wang stated.
Wang stated that the corporate was within the means of deprecating using non-public tokens “to forestall an incident like this from ever taking place once more.”
Whereas the weblog put up describes the one who found the vulnerability as a bug bounty reporter, the corporate’s co-founder Wang described the occasions as malicious.
“The targets of this assault had been GitHub tokens of our customers,” Wang advised TechCrunch by electronic mail.
“Investigations with one impacted buyer revealed that the leaked token was seemingly not utilized by the attacker. We’re presently working with GitHub and our clients to uncover if any of the opposite tokens had been utilized by the attacker,” Wang stated.