Github notifies victims whose private data was stolen using OAuth Tokens

GitHub News

GitHub on Monday noted that it had notified all victims of an attack campaign, which involved an unauthorized party downloading private repository contents by taking advantage of third-party OAuth user tokens maintained by Heroku and Travis CI.

“Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications,” the company said in an updated post.

The incident originally came to light on April 12 when GitHub uncovered signs that a malicious actor had leveraged the stolen OAuth user tokens issued to Heroku and Travis-CI to download data from dozens of organizations, including NPM.

The Microsoft-owned platform said it would notify customers immediately if additional victims are discovered during the ongoing investigation. It also warned that an adversary could be looking into repositories to find secrets that can be used for other attacks.

Heroku, which has pulled support for GitHub integration in the wake of the incident, recommended that users have the option of integrating their app deployments with Git or other version control providers such as GitLab or Bitbucket.

Hosted continuous integration service provider Travis CI, in a similar advisory published on Monday, stated that it had “revoked all authorization keys and tokens preventing any further access to our systems. “

Stating that no customer data was exposed, the company acknowledged that the attackers breached a Heroku service and accessed a private application’s OAuth key that’s used to integrate both the Heroku and Travis CI apps.

But Travis CI stated that there was no evidence that an intrusion had been made into a customer repository, or that threat actors gained unwarranted access to source code.

“Given the data we had and out of an abundance of caution, Travis CI revoked and reissued all private customer auth keys and tokens integrating Travis CI with GitHub to ensure no customer data is compromised,” the company said.

Rate author