Contents:
Popular AI-powered coding platform Sourcegraph reveals that its website was breached this week due to a leaked site-admin access token.
The token leaked online on July 14th, but it took until the 28th of August for an attacker to use the token to create a new site-admin account and log into the admin dashboard of the company’s website. The breach was discovered by Sourcegraph’s security team, which observed a significant increase in API usage, described as isolated and inorganic.
How the Threat Actor Gained Access to Sourcegraph’s Website
The threat actor entered the website’s admin panel and then repeatedly changed the rogue account’s privileges to investigate Sourcegraph’s system.
In a security update posted on August 30th on the company website, Diego Comas, Sourcegraph’s Head of Security had the following to say:
Our security team identified a code commit from July 14 where a site-admin access token was accidentally leaked in a pull request and was leveraged to impersonate a user to gain access to the administrative console of our system…
The malicious user, or someone connected to them, created a proxy app allowing users to directly call Sourcegraph’s APIs and leverage the underlying LLM. Users were instructed to create free Sourcegraph.com accounts, generate access tokens, and then request the malicious user to greatly increase their rate limit.
Diego Comas, Sourcegraph’s Head of Security (Source)
According to the same security update, the promise of free access to Sourcegraph API promoted many to create accounts and start using the proxy app, generating close to 2 million views.
The Impact of the Breach
During the incident, the attacker gained access to Sourcegraph customers’ information including license keys, names, and email addresses of paying customers, while free-tier users had only their email addresses exposed.
According to Comas, the attack did not reveal any further sensitive client information, including private code, emails, passwords, usernames, or other personally identifying information (PII).
So far, there are no indications that any of the exposed data was viewed, modified, or copied.
Customers’ private data or code was not viewed during this incident. Customer private data and code resides in isolated environments and were therefore not impacted by this event.
Diego Comas, Sourcegraph’s Head of Security (Source)
As soon as they realized there had been a security breach, Sourcegraph disabled the rogue site-admin account, temporarily lowered the API rate limitations that applied to everyone in the free community, and rotated any license keys that might have been compromised.
Sourcegraph has a global user base exceeding 1.8 million software engineers, including some high-profile companies such as Uber, F5, Dropbox, Yelp, Lyft, and others.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.