Documentation startup Mintlify says dozens of customers had their GitHub tokens exposed in a data breach earlier this month that was publicly disclosed last week.
Mintlify helps developers create documentation for their software and source code by requesting access and tapping directly into the client’s GitHub source code repositories. Mintlify counts fintech, database and AI startups as clients.
In a blog post on Monday, Mintlify blamed the March 1 incident on a vulnerability in its own systems, but said 91 of its customers had their GitHub tokens compromised as a result.
These private tokens allow GitHub users to share access to their account with third-party applications, including companies like Mintlify. If these tokens are stolen, an attacker could gain the same level of access to the source code of a person who authorizes the token.
“Users have been notified and we are working with GitHub to determine if the tokens were used to access private repositories,” Mintlify co-founder Han Wang wrote. in a blog post.
News of the incident broke last week when some users on Reddit and Hacker News commented after receiving an email from Mintlify on Friday about the incident, days after the company’s blog post initially told customers that “it is not required further action on your part.”
In a post about the breach on Hacker News, Wang said a vulnerability in its systems leaked the company’s internal administrator credentials to customers. Those credentials could then be used to access the company’s internal endpoints to access other unspecified sensitive user information, Wang said.
Wang said the company was in the process of removing the use of private tokens “to prevent an incident like this from happening again.”
While the blog post describes the person who discovered the vulnerability as a bug reporter, company co-founder Wang described the events as malicious.
“The targets of this attack were GitHub tokens of our users,” Wang told TechCrunch via email.
“Investigations with an affected customer revealed that the leaked token was likely not used by the attacker. We are currently working with GitHub and our customers to find out if any of the other tokens were used by the attacker,” Wang said.
