A malicious actor has stolen a large volume of data from many organizations with OAuth user tokens. GitHub revealed this incident and disclosed that the user tokens were issued to Heroku & Travis. This implies that the hacker stole the tokens and then used them to access private repositories.
According to the Github CSO, Mike Hanley, both GitHub and its users use this application. However, GitHub doesn’t store them in a format that an attacker could exploit. This means that they couldn’t have accessed the tokens from the Github systems.
Unfortunately, before anyone could notice, the malicious actors had already gathered a large volume of data from different organizations. But Hanley believes this is the first step to a more deadly attack. In addition, analysis implies that the attackers might be accessing some private repository contents for attacks on other infrastructures.
Affected apps and impacts
According to the Github CSO, the apps stolen were Heroku Dashboard with ID: 145909 and Heroku Dashboards with ID: 628778. They also stole Heroku Dashboards-Preview ID: 313468, Heroku Dashboards-Classic ID: 363831, and Travis CI with ID: 9216.
Github discovered the attack on April 12. First, the attacker accessed its npm production infrastructure with a malicious AWS API key. Then on April 13, GitHub discovered that the attackers had stolen third-party tokens that weren’t on its systems or npm. Immediately, the team took action to ensure that no one would use the apps on GitHub. They notified Heroku & Travis-CI to investigate the incident and revoke all the tokens with access to the affected apps. Also, they should alert their users of the incident immediately. However, the actors had already accessed some private repositories and maybe some of the npm packages stored on AWS S3.
But as for Github itself, Hanley has revealed that the actors couldn’t access any of its contents. Also, they couldn’t modify or access any user account in the attacks on the private repositories. As for now, the GitHub team is investigating the incident. But there’s still no evidence of further compromise on the private repositories that GitHub owns.
GitHub works to protect users
GitHub will continue the investigation to identify the victim organizations and notify them of the incident. Also, they’ll send emails to both their customers & organization with further details and what to do within three days.
So, everyone should expect the email. But if any customer or organization didn’t receive the email within this set time, it means they’re safe from the attack. Moreover, GitHub recommends that every user review the OAuth app they’ve authorized or the one that can access their organization. Once they find anything that is no longer useful, they should remove it.
Also, every user is advised to review their user account security logs and organization audit logs to check abnormal activities. Github also maintains that every customer who receives the email can contact them concerning the directions in the email.