Security News > 2022 > April > GitHub notifies owners of private repos stolen using OAuth tokens

GitHub notifies owners of private repos stolen using OAuth tokens
2022-04-19 16:55

GitHub says it notified all organizations believed to have had data stolen from their private repositories by attackers abusing compromised OAuth user tokens issued to Heroku and Travis-CI. "As of 9:30 PM UTC on April 18, 2022, we've notified victims of this campaign whom we have identified as having repository contents downloaded by an unauthorized party through abuse of third-party OAuth user tokens maintained by Heroku and Travis CI," the company revealed in an update to the original statement.

"We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats which could be abused by an attacker," GitHub said.

While GitHub, Travis CI, and Heroku revoked all OAuth tokens to block further access, impacted organizations are advised to keep monitoring and reviewing their audit logs and user account security logs for potentially malicious activity.

"Should we identify additional customers who have been affected, we will notify those customers promptly. If you do not receive a notification email from us, that means GitHub has not identified your account as impacted by the current incident," GitHub added on Monday.

The threat actor used a compromised AWS API key obtained after downloading multiple private npm repositories using stolen OAuth tokens.

While the attacker stole data from private repositories, GitHub believes none of the packages were modified, and no user account data or credentials were accessed in this incident.


News URL

https://www.bleepingcomputer.com/news/security/github-notifies-owners-of-private-repos-stolen-using-oauth-tokens/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Github 12 3 42 30 15 90