Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens
upstart writes:
Attacker Breach 'Dozens' of GitHub Repos Using Stolen OAuth Tokens:
GitHub shared the timeline of breaches in April 2022, this timeline encompasses the information related to when a threat actor gained access and stole private repositories belonging to dozens of organizations.
GitHub revealed details tied to last week's incident where hackers, using stolen OAuth tokens, downloaded data from private repositories.
"We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats," said Mike Hanley, chief security officer, GitHub.
[...] GitHub analysis the incident include[sic] that the attackers authenticated to the GitHub API using the stolen OAuth tokens issued to accounts Heroku and Travis CI. It added, most most of those affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were selective and attackers listed the private repositories of interest. Next, attackers proceeded to clone private repositories.
"This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," Hanley said. "GitHub believes these attacks were highly targeted," he added.
GitHub said it is in the process of sending the final notification to its customer who had either Travis CI or Heroku OAuth apps integrated into their GitHub accounts.
Read more of this story at SoylentNews.