Mintlify documentation startup leaks customer GitHub tokens, exposes 91 customers
Take action: A series of unfortunate events - error messages returning admin token details, storing of other tokens in database and exposing internal endpoints to public access.
Learn More
Mintlify, a startup specializing in assisting developers with creating documentation for their software and source code, is reporting a significant data breach.
The incident resulted in the exposure of GitHub tokens belonging to 91 of its customers. These customers span various sectors, including fintech, database, and AI startups, relying on Mintlify's services to access and manage documentation directly from their GitHub source code repositories.
GitHub tokens enable users to grant third-party applications, such as Mintlify, access to their GitHub accounts. The breach of these tokens could potentially allow attackers to gain access to a user’s source code at the same level of permissions as allowed by the tokens.
The breach was attributed to a vulnerability within Mintlify’s own systems, specifically leaking the company’s internal admin credentials to customers:
The source of this security incident was due to an uncaught error response in one of our APIs that didn't properly format the response before sending it back to the client. The response contained our internal admin tokens, which can then be used to access internal endpoints, which unveiled sensitive user information.
The admin tokens were used to access GitHub tokens stored within our databases and were used to access a customer's repository.
Following the discovery of the breach, Mintlify has been actively notifying affected users and collaborating with GitHub to ascertain whether any private repositories were accessed using the compromised tokens.
Preliminary investigations with one affected customer suggested that the leaked token had not been used by the attacker, offering some relief amidst concerns over the breach's potential consequences.
