Documentation startup Mintlify says dozens of consumers had GitHub tokens exposed in a data breach in the beginning of the month and publicly disclosed final week.
Mintlify helps builders create documentation for his or her software program and supply code by requesting entry and tapping instantly into the customer’s GitHub supply code repositories. Mintlify counts fintech, database and AI startups as prospects.
In a weblog put up Monday, Mintlify blamed its March 1 incident on a vulnerability in its personal techniques, however mentioned 91 of its prospects had their GitHub tokens compromised in consequence.
These non-public tokens permit GitHub customers to share their account entry with third events apps, together with corporations like Mintlify. If these tokens are stolen, an attacker may receive the identical degree of entry to an individual’s supply code because the token permits.
“The users have been notified, and we’re working with GitHub to identify whether the tokens were used to access private repositories,” Mintlify co-founder Han Wang wrote in a weblog put up.
News of the incident turned public final week when some customers on Reddit and Hacker News commented after getting an e mail from Mintlify on Friday concerning the incident, days after the corporate’s weblog put up initially instructed prospects that “no further action is required on your part.”
In a put up discussing the breach on Hacker News, Wang mentioned a vulnerability in its techniques was leaking the corporate’s inner admin credentials to prospects. Those credentials may then be used to entry the corporate’s inner endpoints to entry different unspecified delicate person info, Wang mentioned.
Wang mentioned that the corporate was in the method of deprecating using non-public tokens “to prevent an incident like this from ever happening again.”
While the weblog put up describes the one that found the vulnerability as a bug bounty reporter, the corporate’s co-founder Wang described the occasions as malicious.
“The targets of this attack were GitHub tokens of our users,” Wang instructed Ztoog by e mail.
“Investigations with one impacted customer revealed that the leaked token was likely not used by the attacker. We are currently working with GitHub and our customers to uncover if any of the other tokens were used by the attacker,” Wang mentioned.