GitHub Notifies Owners of Private Repos Stolen Using OAuth Tokens
GitHub says it notified all organizations believed to have had data stolen from their private repositories by attackers abusing compromised OAuth user tokens issued to Heroku and Travis-CI.
“As of 9:30 PM UTC on April 18, 2022, we’ve notified victims of this campaign whom we have identified as having repository contents downloaded by an unauthorized party through abuse of third-party OAuth user tokens maintained by Heroku and Travis CI,” the company revealed in an update to the original statement.
Just as GitHub’s Chief Security Officer Mike Hanley previously said when the breach was disclosed, the company is yet to find any evidence that any of its systems have been compromised since the incident was discovered.
“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats which could be abused by an attacker,” GitHub said.
While GitHub, Travis CI, and Heroku revoked all OAuth tokens to block further access, impacted organizations are advised to keep monitoring and reviewing their audit logs and user account security logs for potentially malicious activity.
“Should we identify additional customers who have been affected, we will notify those customers promptly. If you do not receive a notification email from us, that means GitHub has not identified your account as impacted by the current incident,” GitHub added on Monday.
No Travis CI customer data exposed
On Monday, the Travis CI team said that it was informed last Friday, April 15, “that certain private customer repositories may have been accessed by an individual who used a man-in-the-middle 2FA attack, leveraging a third-party integration token.”
Travis CI added that the threat actor breached a Heroku service and gained access to a private app OAuth key used to integrate the Heroku and Travis CI app.
However, since this key only provided limited access to customer data, Travis CI says that its customers’ repos or data were not exposed in the attack.
“We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access,” the Travis CI team said.
“Based on what we have found, we do not believe this is an issue or risk to our customers.”
Guidance for finding evidence of malicious activity
GitHub has shared the following guidance with potentially affected customers to help them investigate their logs for evidence of exfiltration or malicious activity:
- Review all your private repositories for secrets or credentials stored in them. There are several tools that can help with this task, such as GitHub secret scanning and trufflehog.
- Review the OAuth applications that you’ve authorized for your personal account or that are authorized to access your organization and remove anything that’s no longer needed.
- Follow GitHub’s guidelines for hardening the security posture of your GitHub organization.
- Review your account activity, personal access tokens, OAuth apps, and SSH keys for any activity or changes that may have come from the attacker.
- Additional questions should be directed to GitHub Support.
GitHub disclosed this incident on Friday evening, three days after first discovering the attack on April 12, when the attacker accessed GitHub’s npm production infrastructure.
The threat actor used a compromised AWS API key obtained after downloading multiple private npm repositories using stolen OAuth tokens.
The impact on the npm organization includes unauthorized access to private GitHub.com repos and “potential access” to npm packages stored on AWS S3 servers.
While the attacker stole data from private repositories, GitHub believes none of the packages were modified, and no user account data or credentials were accessed in this incident.
More information on how GitHub has responded to protect its customers and what affected organizations need to know in the security alert published on Friday.