Security News > 2022 > April > GitHub notifies owners of private repos stolen using OAuth tokens
GitHub says it notified all organizations believed to have had data stolen from their private repositories by attackers abusing compromised OAuth user tokens issued to Heroku and Travis-CI. "As of 9:30 PM UTC on April 18, 2022, we've notified victims of this campaign whom we have identified as having repository contents downloaded by an unauthorized party through abuse of third-party OAuth user tokens maintained by Heroku and Travis CI," the company revealed in an update to the original statement.
"We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats which could be abused by an attacker," GitHub said.
While GitHub, Travis CI, and Heroku revoked all OAuth tokens to block further access, impacted organizations are advised to keep monitoring and reviewing their audit logs and user account security logs for potentially malicious activity.
"Should we identify additional customers who have been affected, we will notify those customers promptly. If you do not receive a notification email from us, that means GitHub has not identified your account as impacted by the current incident," GitHub added on Monday.
The threat actor used a compromised AWS API key obtained after downloading multiple private npm repositories using stolen OAuth tokens.
While the attacker stole data from private repositories, GitHub believes none of the packages were modified, and no user account data or credentials were accessed in this incident.