Responding to the GitHub Breach

On April 15th, 2022, GitHub, a ubiquitous software development host owned by Microsoft, suffered a third-party breach. This post will tell you everything you need to know— from how to tell if you’re exposed, to how to respond and try to mitigate your risk exposure.

What happened?

GitHub provides its customers with code repositories that hold all of their public and private source code. As of the end of 2021, GitHub claimed to have over 73 million users. GitHub holds repositories for open source providers, private companies and public companies.

On April 12th, GitHub discovered unauthorized access to its npm production environment by use of a compromised AWS API key. The unknown attacker(s) stole OAuth user tokens issued to two third-party OAuth integrators: Heroku (a Salesforce company) and Travis-CI. The attackers downloaded data from dozens of organizations, including npm.

How bad is it?

It is still unknown how the attackers gained access to the tokens (which require customers to grant access); therefore, we cannot yet gauge the severity of this third-party breach. However, the potential damage of this breach is substantial. The attacker could exploit the stolen repository contents to learn corporate secrets and then use those secrets to gain access to Heroku and Travis-CI’s third-parties. Furthermore, in this classic supply-chain attack, the threat actor could continue to exploit GitHub for other companies’ access credentials.

Was Panorays impacted?

No. Panorays is not using GitHub as our source control service nor do we leverage Heroku or TravisCI services.

Who might be impacted?

Anyone using GitHub may be impacted by this compromise. The impact on the Intellectual Property of companies and the functionality of the products they provide to their customers could be severe.

What can you do right now?

• If you do not see GitHub, you can add it as a supplier and view the information.

2. Protect: Use these proposed mitigations:
   • Revoke access to any of the Heroku and TravisCI auth tokens until further notice from the 3 companies involved (Heroku, TravisCI, and GitHub).
     • Please note this may cause disruption of your business; it is advised to communicate with the appropriate business owners internally.
   • If you have more granular control of your auth tokens for other services connected to your GitHub account, lower the privileges to the absolute minimum you can allow.

3. Respond: Refer to Panorays’ Third-Party Incident Response Playbook, available to help you prepare for and respond to incidents like these with your third parties.
   • Communicate to employees (especially developers) the need for extra vigilance. In particular, they must notify security administrators about any upticks in suspicious activity within your development environment.
     • Review the GitHub Audit Logs: https://github.com/settings/security-log
   • Get updates from GitHub’s official page: https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/
     • You can also follow the official GitHub Security profile on Twitter for more updates: https://twitter.com/GitHubSecurity
   • Get updates from Heroku’s official incident page: https://status.heroku.com/incidents/2413

How Panorays can help

Clearly, having visibility into and control over your third-party security is critical to maintaining a strong cyber posture. That’s why Panorays combines automated, dynamic security questionnaires with external attack surface assessments and business relationship context to provide you with a rapid, accurate view of supplier and fourth-party cyber risk. Our platform continuously monitors and evaluates your suppliers, sending you live alerts about any security changes or breaches to your third parties.

Want to learn more about how you can prevent third-party cyber breaches? Contact Panorays today to schedule a demo.