Documentation startup Mintlify says dozens of customers had GitHub tokens exposed in a data breach at the start of the month and publicly disclosed last week.
Mintlify helps developers create documentation for their software and source code by requesting access and tapping directly into the customer’s GitHub source code repositories. Mintlify counts fintech, database and AI startups as customers.
In a blog post Monday, Mintlify blamed its March 1 incident on a vulnerability in its own systems, but said 91 of its customers had their GitHub tokens compromised as a result.
These private tokens allow GitHub users to share their account access with third parties apps, including companies like Mintlify. If these tokens are stolen, an attacker could obtain the same level of access to a person’s source code as the token permits.
“The users have been notified, and we’re working with GitHub to identify whether the tokens were used to access private repositories,” Mintlify co-founder Han Wang wrote in a blog post.
News of the incident became public last week when some users on Reddit and Hacker News commented after getting an email from Mintlify on Friday about the incident, days after the company’s blog post initially told customers that “no further action is required on your part.”
In a post discussing the breach on Hacker News, Wang said a vulnerability in its systems was leaking the company’s internal admin credentials to customers. Those credentials could then be used to access the company’s internal endpoints to access other unspecified sensitive user information, Wang said.
Wang said that the company was in the process of deprecating the use of private tokens “to prevent an incident like this from ever happening again.”
While the blog post describes the person who discovered the vulnerability as a bug bounty reporter, the company’s co-founder Wang described the events as malicious.
“The targets of this attack were GitHub tokens of our users,” Wang told TechCrunch by email.
“Investigations with one impacted customer revealed that the leaked token was likely not used by the attacker. We are currently working with GitHub and our customers to uncover if any of the other tokens were used by the attacker,” Wang said.