An unknown number of private GitHub repositories have been breached by an unknown attacker, apparently for the purposes of stealing private information. GitHub says that it was not breached, but that OAuth tokens were stolen from two widely used third party services: Heroku and Travis-CI.
GitHub says information stolen from private repositories, but no sign of code modification
Rather than malware or vandalism, it appears the attackers were interested in simply stealing information to be used for further attacks against the target organizations. The stolen OAuth tokens granted access to the private repositories of organizations using four different types of Heroku Dashboard ID as well as Travis CI ID:9216.
The OAuth tokens have been revoked by GitHub at this point, but the extent of the damage and the total number of impacted organizations (and their identities) remain unknown. GitHub says that it has reached out to all organizations that may have had their private repositories accessed by the attackers.
OAuth tokens allow for logging in to multiple websites using one set of credentials. If GitHub was not breached, it is extremely likely that the tokens were stolen at the client end. The exact method is unknown, however; this could have been a case of social engineering, or of a client side developer failing to implement security measures properly. There is even the possibility of an insider selling them via underground forums, where OAuth tokens are a hot commodity.
Stolen OAuth tokens revoked, companies left to assess damage
GitHub would only say that “dozens” of companies had their private repositories accessed. The one that it named was npm, the widely used Java registry that GitHub recently acquired. GitHub said that it did not uncover any evidence of npm code being altered or any customer credentials being compromised. However, it does not yet have a conclusive answer as to whether private packages were viewed or downloaded. GitHub also said that npm’s architecture was entirely separate from the GitHub site.
npm was the initial point of access to GitHub for the attackers, who entered using a stolen AWS API key on April 12. GitHub’s security team traced this back to a stolen OAuth token, and the ensuing investigation turned up more stolen tokens and markers of access to private repositories within the next 24 hours.
GitHub said that it had contacted the organizations it believed to be impacted via email by April 19, and had informed both Heroku and Travis-CI by April 14. An investigation that incorporates Heroku and Travis-CI is ongoing. The two companies have also said that customer account credentials did not appear to be compromised, but that they were reaching out to customers that had GitHub repositories connected to their accounts. Heroku has also asked potentially impacted customers to email its security team at Salesforce, and to review both organization and personal security logs from GitHub. Travis-CI said something similar, but also reissued all customer GitHub authentication keys and tokens out of an abundance of caution.