Follow us on X (Twitter)  Like us on Facebook  Connect with us on LinkedIn  Subscribe to our YouTube Channel  Subscribe to our WhatsApp Group

GitHub revealed that an attacker breached accounts using the stolen OAuth tokens to download data from organization accounts. This information was revealed after the GitHub Security team began an investigation on April 12th, 2022. The company also claimed that those abused tokens were issued to two 3rd-party OAuth integrators.


Was your GitHub account compromised in this data breach? To know more, continue reading till the end of the post.


Attackers breached GitHub accounts using stolen OAuth tokens


Mike Hanley, the Chief Security Officer at GitHub, on 15th April revealed that they have discovered evidence of attackers abusing stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.


This data breach was first discovered on 12th April, after GitHub Security began an investigation.



The applications maintained by these integrators (namely Heroku and Travis-CI) were used by GitHub users, including GitHub itself. But the actual GitHub systems were not compromised as these tokens are not stored by GitHub in their original format.


We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats, says Mike.


Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure, adds Mike in his blog post.



According to Mike Hanley, here is the list of impacted OAuth applications as of April 15, 2022:

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)


According to the initial detection related to this campaign, the company believes that this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above.



As of now, the security team believes that the attacker did not modify any packages or gained access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages. npm uses a completely separate infrastructure from, says Mike.


If you are one of the known-affected victim users and organizations that they have discovered through their analysis, you will receive a notification email from GitHub within the next 72 hours with additional details and the next steps to proceed with. No need to worry if you don't receive any email as you are not affected by this data breach.


Have a question? Or, a comment? Let's Discuss it below...


Thank you for visiting our website!

We value your engagement and would love to hear your thoughts. Don't forget to leave a comment below to share your feedback, opinions, or questions.

We believe in fostering an interactive and inclusive community, and your comments play a crucial role in creating that environment.