Documentation startup Mintlify said dozens of its customers had their GitHub tokens exposed in a data breach earlier in the month that went public last week.
Mintlify helps developers document their software and source code by requesting access to and directly leveraging customers' GitHub source code repositories. Mintlify counts fintech, database, and AI startups among its customers.
In a blog post on Monday, Mintlify blamed the March 1 incident on a vulnerability in its systems, but said 91 of its customers had their GitHub tokens compromised as a result.
These private tokens allow GitHub users to share their account access with third-party apps, including companies like Mintlify. If these tokens were stolen, an attacker could gain the same level of access to a person's source code as the tokens allow.
“Users have been notified and we are working with GitHub to determine if the token was used to access private repositories,” Mintlify co-founder Han Wang said in a blog post. .
News of the incident became public last week after some users on Reddit and Hacker News commented on it after receiving an email about the incident from Mintlify on Friday. This comes days after the company first told customers in a blog post that “no further action is required.”
In a post discussing the breach on Hacker News, Wang said a vulnerability in the system exposed the company's administrator credentials to customers. Wang said these credentials could be used to access internal endpoints and access unspecified other sensitive user information.
Wang said the company is in the process of eliminating the use of private tokens “to prevent incidents like this from happening again.”
Although the blog post identifies the person who discovered the vulnerability as a bug bounty reporter, Wang, the company's co-founder, said the incident was malicious.
“The target of this attack was our users' GitHub tokens,” Wang told TechCrunch via email.
“An investigation with one of our affected customers revealed that the leaked tokens were likely not used by the attackers. We are currently working with GitHub and our customers to provide other tokens are being used by attackers,” Wang said.