Security News > 2022 > April > GitHub: How stolen OAuth tokens helped breach dozens of orgs
GitHub has shared a timeline of this month's security breach when a threat actor gained access to and stole private repositories belonging to dozens of organizations.
The attacker used stolen OAuth app tokens issued to Heroku and Travis-CI to breach GitHub.com customer accounts with authorized Heroku or Travis CI OAuth app integrations.
The attacker authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI. For most people who had the affected Heroku or Travis CI OAuth apps authorized in their GitHub accounts, the attacker listed all the user's organizations.
"GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku."
GitHub disclosed the breach on the evening of April 15th, three days after discovering the attack, when the malicious actor accessed GitHub's npm production infrastructure.
In the initial stage of the attack, the threat actor used a compromised AWS API key acquired after downloading multiple private npm repositories using stolen OAuth user tokens.