How can we help?
GitHub has detected an active attack campaign in which private data was accessed. It’s believed that stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, were used to access data from private repositories.
Some GitHub users had private repositories leaked. API keys or other secrets stored in these repositories could be abused for further malicious activity.
GitHub has notified affected customers.
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
- Travis CI (ID: 9216)
Containment, Mitigations & Remediations
GitHub recommends that users periodically review the OAuth applications with access permissions and remove those that are no longer needed.
Indicators of Compromise
Having access to private source code could allow the attacker to find and exploit vulnerabilities more easily. Any secrets included in the source code would also be useful for pivoting to other targets.
T1078.004 – Cloud Accounts