GitHub Token Breach: Mintlify Announces Customer Data Compromise

Documentation startup Mintlify says dozens of customers had GitHub tokens exposed in a data breach at the start of the month and publicly disclosed last week. Mintlify helps developers create documentation for their software and source code by requesting access and tapping directly into the customer’s GitHub source code repositories. These private tokens allow GitHub users to share their account access with third parties apps, including companies like Mintlify. “The targets of this attack were GitHub tokens of our users,” Wang told TechCrunch by email. We are currently working with GitHub and our customers to uncover if any of the other tokens were used by the attacker,” Wang said.

The startup Mintlify has revealed that a data breach at the beginning of the month resulted in the exposure of dozens of GitHub tokens from their customers. This news was made public last week through a blog post by the company.

Mintlify offers developers a platform to create documentation for their software and source code by connecting directly to their GitHub repositories. Among their clients are fintech, database, and AI startups.

In a blog post on Monday, Mintlify disclosed that the incident on March 1 was caused by a vulnerability in their internal systems, resulting in the compromise of 91 GitHub tokens belonging to their customers.

This private tokens are used by GitHub users to grant access to their accounts to third-party apps, including Mintlify. The theft of these tokens could give an attacker the same level of access to a person’s source code as the token permits.

“The affected users have been notified, and we are currently working with GitHub to determine if the compromised tokens were used to access private repositories,” explained Mintlify co-founder Han Wang in the blog post.

The breach came to light last week when some Reddit and Hacker News users received an email from Mintlify notifying them of the incident. This email came days after the company’s initial blog post, which stated that “no further action is required on your part.”

In a discussion about the breach on Hacker News, Wang revealed that the vulnerability in their systems was leaking the company’s internal admin credentials to customers. This could then be used to gain access to other unspecified sensitive user information through internal endpoints, Wang revealed.

As a preventive measure, Wang shared that Mintlify is deprecating the use of private tokens and “taking steps to prevent any similar incidents from happening in the future.”

Despite referring to the person who discovered the vulnerability as a “bug bounty reporter” in their blog post, Wang clarified that the incident was a deliberate attack.

“The targeted information in this attack were the GitHub tokens of our users,” Wang told TechCrunch via email.

“After investigating with one affected customer, we have found that the leaked token was most likely not used by the attacker. We are currently working with GitHub and our customers to determine if any of the other tokens were used,” added Wang.

Avatar photo
Kira Kim

Kira Kim is a science journalist with a background in biology and a passion for environmental issues. She is known for her clear and concise writing, as well as her ability to bring complex scientific concepts to life for a general audience.

Articles: 836

Leave a Reply

Your email address will not be published. Required fields are marked *