Documentation startup Mintlify says dozens of shoppers had GitHub tokens uncovered in a data breach initially of the month and publicly disclosed final week.
Mintlify helps builders create documentation for his or her software program and supply code by requesting entry and tapping instantly into the shopper’s GitHub supply code repositories. Mintlify counts fintech, database and AI startups as prospects.
In a weblog submit Monday, Mintlify blamed its March 1 incident on a vulnerability in its personal programs, however mentioned 91 of its prospects had their GitHub tokens compromised because of this.
These personal tokens enable GitHub customers to share their account entry with third events apps, together with corporations like Mintlify. If these tokens are stolen, an attacker may get hold of the identical degree of entry to an individual’s supply code because the token permits.
“The customers have been notified, and we’re working with GitHub to establish whether or not the tokens had been used to entry personal repositories,” Mintlify co-founder Han Wang wrote in a weblog submit.
Information of the incident turned public final week when some customers on Reddit and Hacker Information commented after getting an electronic mail from Mintlify on Friday concerning the incident, days after the corporate’s weblog submit initially advised prospects that “no additional motion is required in your half.”
In a submit discussing the breach on Hacker Information, Wang mentioned a vulnerability in its programs was leaking the corporate’s inner admin credentials to prospects. These credentials may then be used to entry the corporate’s inner endpoints to entry different unspecified delicate consumer info, Wang mentioned.
Wang mentioned that the corporate was within the means of deprecating the usage of personal tokens “to stop an incident like this from ever occurring once more.”
Whereas the weblog submit describes the one that found the vulnerability as a bug bounty reporter, the corporate’s co-founder Wang described the occasions as malicious.
“Investigations with one impacted buyer revealed that the leaked token was doubtless not utilized by the attacker. We’re presently working with GitHub and our prospects to uncover if any of the opposite tokens had been utilized by the attacker,” Wang mentioned.
