Repository hosting service GitHub on Friday confirmed that hackers used stolen OAuth tokens to breach several Github accounts and download data from private repositories.
OAuth is an open standard authorization framework used for account authorization by several third-party services such as Facebook and Google. It doesn’t share the password but uses an authorization token to prove identity. Github claims that hackers didn’t get tokens from GitHub or its systems because the tokens in question are not stored by GitHub in their original.
“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats,” said Mike Hanley, chief security officer, GitHub.
The company confirmed that stolen OAuth tokens were issued to Heroku and Travis CI. Attackers selectively listed the private repositories or accounts that they gained access to and proceeded to clone private repositories.
Github found early evidence of the attack on April 12 when it found unauthorized access to its NPM production environment using a compromised AWS API key. When it found unauthorized access, it instantly revoked tokens associated with GitHub and npm.
Once it identified stolen OAuth tokens, it immediately contacted Heroku and Travis-CI to initiate their own security investigations and revoke all OAuth user tokens associated with the affected applications. The company is now working closely with both organizations to protect customers.
It is also sending the final notification to all the Github who had either Travis CI or Heroku OAuth apps integrated into their GitHub account. Github also claims that it was not affected by the attack and it didn’t find that its private repos were cloned by the attackers.
