Mintlify says buyer GitHub tokens uncovered in information breach

Documentation startup Mintlify says dozens of shoppers had GitHub tokens uncovered in a knowledge breach at the beginning of the month and publicly disclosed final week.

Mintlify helps developers create documentation for his or her software program and supply code by requesting entry and tapping immediately into the client’s GitHub supply code repositories. Mintlify counts fintech, database and AI startups as prospects.

In a weblog put up Monday, Mintlify blamed its March 1 incident on a vulnerability in its personal programs, however stated 91 of its prospects had their GitHub tokens compromised because of this.

These personal tokens enable GitHub customers to share their account entry with third events apps, together with corporations like Mintlify. If these tokens are stolen, an attacker may acquire the identical degree of entry to an individual’s supply code because the token permits.

“The users have been notified, and we’re working with GitHub to identify whether the tokens were used to access private repositories,” Mintlify co-founder Han Wang wrote in a blog post.

Information of the incident turned public final week when some customers on Reddit and Hacker Information commented after getting an e mail from Mintlify on Friday concerning the incident, days after the corporate’s weblog put up initially informed prospects that “no further action is required on your part.”

In a put up discussing the breach on Hacker News, Wang stated a vulnerability in its programs was leaking the corporate’s inside admin credentials to prospects. These credentials may then be used to entry the corporate’s inside endpoints to entry different unspecified delicate person info, Wang stated.

Wang stated that the corporate was within the means of deprecating using personal tokens “to prevent an incident like this from ever happening again.”

Whereas the weblog put up describes the one that found the vulnerability as a bug bounty reporter, the corporate’s co-founder Wang described the occasions as malicious.

“The targets of this attack were GitHub tokens of our users,” Wang informed TechCrunch by e mail.

“Investigations with one impacted customer revealed that the leaked token was likely not used by the attacker. We are currently working with GitHub and our customers to uncover if any of the other tokens were used by the attacker,” Wang stated.