GitHub Rebuffs Breach With Swift Action, Rotating Credentials

The holidays were anything but happy over at Slack, which saw threat actors access its externally hosted GitHub repositories.

The miscreants apparently used a “limited” number of stolen Slack employee tokens. And while they breached some of the platform’s private code repositories, the primary codebase—as well as customer data—weren’t affected.

“On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository,” according to a Slack alert. “Our investigation also revealed that the threat actor downloaded private code repositories on December 27, [2022]. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase.”

That’s not surprising. “As DevOps has moved to the cloud, it has become much easier to steal code repositories,” said John Bambenek, principal threat hunter at Netenrich.

“The worst possibility is stealing authentication secrets and tokens that allow access to other resources, which also are usually in the cloud,” he said. “With the disappearing perimeter, all we’ve gotten is the loss of the company’s ability to protect their information.”

Bleeping Computer, which discovered the update, noted it is not included on the platform’s international news blog and is in some regions marked with ‘noindex‘—an HTML feature that is used to exclude a webpage from search engine results, thereby making it harder to discover the page.”

“It looks like this breach won’t directly affect Slack’s massive user base, but it does have some potential implications for the developers. Slack is going to have to audit their own code to make sure there aren’t any vulnerabilities in the stolen code an attacker could leverage and figure out how the threat actors got access to their developer’s tokens in the first place,” said Mike Parkin, senior technical engineer at Vulcan Cyber.

“As for the transparency issue, that’s a separate issue. While there are legal and ethical reasons to be transparent about incidents that affect the customer base, when it’s strictly internal, as this appears to be, it can be different,” said Parkin. “There can be very legitimate reasons to not make a big deal about an incident and keep the information somewhat contained.”

Security researchers and analysis, he pointed out, “may be asking ‘What did the attackers get, and what can they do with it?’ but for the world as a whole, it’s just a footnote unless it leads to a breach. And even then, the breach and how to mitigate it will be the important part to know about, while how it happened remains an interesting footnote.”

By acting swiftly, Slack blunted the impact of the incident. “It appears Slack corralled this one quickly by ‘immediately invalidating the stolen tokens,’” said Timothy Morris, chief security advisor at Tanium.

“They also took extra precaution by rotating ‘all relevant credentials,’” he noted. “Slack stated that there was no access to infrastructure or customer data; only that the private code repositories were downloaded from their externally hosted GitHub repository.”

Noting that “typically, code repositories contain documentation, notes, changes and code itself,” Morris pointed out that “only Slack, and now the perpetrators, know what the beneficial data is and whether or not it could be used for future attacks or monetized.”

One positive note, he added, is “the time elapsed between detection and disclosure was fast at four days (December 27, 2022 to December 31, 2022). A credit to Slack for expedient disclosure.”

Image Source: slack–rubaitul-azad–unsplash

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson