Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Mintlify Data Breach Leads to Exposure of Customer GitHub Tokens

Mintlify announces vulnerability disclosure program after a data breach exposed 91 customer GitHub tokens.

AI-powered code documentation firm Mintlify says customer GitHub tokens were compromised in a data breach caused by a vulnerability in its systems, prompting it to launch a bug bounty program.

Mintlify helps developers generate code documentation. It requires access to the source code, such as GitHub repositories, to analyze it, understand its purpose, and create descriptions.

In an incident notice on its website, the San Francisco-based company says that 91 customer tokens were exposed in a data breach identified on March 1, when it received a report of the issue and discovered unauthorized requests to its servers.

“We noticed that some of these requests targeted sensitive API endpoints and were successful in their attempts. This unusual activity indicated that the actor behind these requests had possession of our private admin access tokens, granting them unauthorized access to our endpoints,” Mintlify says.

After learning that a customer’s repository was accessed using GitHub tokens stored in its database, the company revoked all GitHub token access, rotated administrative access tokens, and hardened the security of its APIs.

“We’ve detected from our logs that 91 GitHub tokens were compromised. The users have been notified, and we’re working with GitHub to identify whether the tokens were used to access private repositories,” Mintlify says.

Mintlify also says that it worked with a bug bounty reporter to address the underlying vulnerability, that it revoked all access tokens again on March 2, and that it is working with cybersecurity firms to investigate the incident and improve its security stance.

It’s unclear if the individual who reported the vulnerability is the one who exploited the flaw. Some ‘bug bounty hunters’ are known to use aggressive tactics, which include exploitation of a bug for what could be interpreted as malicious purposes, to ensure they receive a reward. 

Advertisement. Scroll to continue reading.

To make it easier for security researchers to report vulnerabilities, the company has launched a bug bounty program covering mintlify.com, dashboard.mintlify.com, leaves.mintlify.com, and the Mintlify GitHub apps.

Interested researchers should send vulnerability reports to ‘security @ mintlify.com’. The reports should contain a description of the bug, steps to reproduce, details on the used environment, and proof-of-concept code if possible.

Previously unidentified vulnerabilities with a CVSS score of 4 or higher are guaranteed to receive financial compensation, the company says. Additional information can be found on Mintlify’s responsible disclosure page.

Related: Mercedes Source Code Exposed by Leaked GitHub Token

Related: Major Organizations Using ‘Hugging Face’ AI Tools Put at Risk by Leaked API Tokens

Related: Sourcegraph Discloses Data Breach Following Access Token Leak

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Data Breaches

Delta Dental of California says over 6.9 million individuals were impacted by a data breach caused by the MOVEit hack.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.