Connect with us

Hi, what are you looking for?


Data Breaches

Sourcegraph Discloses Data Breach Following Access Token Leak

Sourcegraph says customer information was breached after an engineer accidentally leaked an admin access token.

Code search and navigation platform Sourcegraph on Thursday announced that it has experienced a data breach after an engineer accidentally leaked an admin access token.

The incident was identified on August 30, after the platform experienced a massive surge in API usage that prompted an immediate investigation.

According to the platform, the admin access token used in the attack was leaked in a July 14 commit that passed internal code analysis tools. The token “had broad privileges to view and modify account information on”.

On August 30, a user elevated the privileges for a recently created Sourcegraph account, gaining unauthorized access to the admin dashboard.

“The malicious user, or someone connected to them, created a proxy app allowing users to directly call Sourcegraph’s APIs and leverage the underlying LLM. Users were instructed to create free accounts, generate access tokens, and then request the malicious user to greatly increase their rate limit,” the platform explains in an incident notice.

Rapidly gaining attention from numerous people looking to obtain free access to the Sourcegraph API, the proxy app started being used to create new accounts, which resulted in a spike in API usage.

The malicious user having admin privileges could have accessed license key recipients’ names and email addresses, and Sourcegraph license keys for a subset of customers, as well as the email addresses of Sourcegraph community users.

Advertisement. Scroll to continue reading.

“We have no indication that any of this data was viewed, modified, or copied, but the malicious user could have viewed license key recipients’ emails and community user email addresses as they navigated the admin dashboard,” Sourcegraph says.

On the admin dashboard page providing access to paid customer license keys, the malicious user could only view the first 20 license key items and Sourcegraph was able to quickly determine which items were viewed. These keys do not provide access to customer instances, the platform underlines.

“Customers’ private data or code was not viewed during this incident. Customer private data and code resides in isolated environments and were therefore not impacted by this event,” Sourcegraph notes.

Immediately after identifying the incident, the platform fully revoked the malicious user’s access, rotated the Sourcegraph customer license keys that might have been viewed, temporarily reduced the rate limits for all free community users, and continued to monitor for suspicious activity.

Related: 500k Impacted by Data Breach at Fashion Retailer Forever 21

Related: 10 Million Likely Impacted by Data Breach at French Unemployment Agency

Related: University of Minnesota Confirms Data Breach, Says Ransomware Not Involved

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.