Sourcegraph reports Data Breach due to Admin Access Token in source code
Take action: Although the resulting exploit resembles Robin Hood in it's giving the Sourcegraph services to users, this is still an excellent reason to be very diligent about secrets, tokens and credentials in source code.
Learn More
Sourcegraph, a code search and navigation platform, reported a data breach resulting from an accidental leak of an admin access token by one of its engineers.
The breach was discovered on August 30 when the platform observed a significant increase in API usage, prompting an immediate investigation.
It was determined that the admin access token, which had broad privileges to view and modify account information on Sourcegraph.com, had been inadvertently leaked in a source code commit on July 14. On August 30, an unauthorized user escalated the privileges of a newly created Sourcegraph account, gaining access to the admin dashboard.
The attacker developed a proxy app that allowed users to call Sourcegraph's APIs directly and exploit the underlying Large Language Models. Users were instructed to create free Sourcegraph.com accounts, generate access tokens, and then send a request to the malicious user to significantly increase their rate limit. This proxy app, which attracted considerable attention from individuals seeking free access to the Sourcegraph API, led to a surge in API usage.
While the malicious user had admin privileges, there is no evidence to suggest that they viewed, modified, or copied any data. However, they could have accessed
- names and email addresses of license key recipients,
- Sourcegraph license keys for some customers,
- the email addresses of Sourcegraph community users.
On the admin dashboard page providing access to paid customer license keys, the malicious user could only view the first 20 license key items, and Sourcegraph was able to identify which items were viewed. These license keys do not provide access to customer instances.
Sourcegraph reassured that customers' private data or code was not accessed during this incident, as such data resides in isolated environments and remained unaffected. In response to the incident, Sourcegraph took immediate action by revoking the malicious user's access, rotating Sourcegraph customer license keys that might have been viewed, temporarily reducing rate limits for free community users, and continuous monitoring for suspicious activity.
