Source code of Mercedes-Benz exposed via leaked GitHub token

Mercedes-Benz employee has apparently inadvertently exposed the company source code due to a leaked GitHub token. The leak was discovered during a scan conducted by a security researchers from Redhunt which found a GitHub repository containing this sensitive information.

The leaked token provided unlimited and unsupervised access to all the source code hosted on the firm's GitHub Enterprise server. This access includes confidential data such as:

• intellectual property
• database connection strings,
• cloud access keys,
• blueprints,
• design documents,
• SSO passwords,
• API keys.

It's unclear how long the token was exposed and whether it was abused.

Should this situation have been exploited, a the sensitive data would become accessible to threat actors which could utilize the compromised token to extract all sensitive data and sell it in the dark web marketplaces, or inject ransomware, implement of backdoors or extort the company.