Code search and navigation platform Sourcegraph on Thursday announced that it has experienced a data breach after an engineer accidentally leaked an admin access token.
The incident was identified on August 30, after the platform experienced a massive surge in API usage that prompted an immediate investigation.
According to the platform, the admin access token used in the attack was leaked in a July 14 commit that passed internal code analysis tools. The token “had broad privileges to view and modify account information on Sourcegraph.com”.
On August 30, a user elevated the privileges for a recently created Sourcegraph account, gaining unauthorized access to the admin dashboard.
“The malicious user, or someone connected to them, created a proxy app allowing users to directly call Sourcegraph’s APIs and leverage the underlying LLM. Users were instructed to create free Sourcegraph.com accounts, generate access tokens, and then request the malicious user to greatly increase their rate limit,” the platform explains in an incident notice.
Rapidly gaining attention from numerous people looking to obtain free access to the Sourcegraph API, the proxy app started being used to create new accounts, which resulted in a spike in API usage.
The malicious user having admin privileges could have accessed license key recipients’ names and email addresses, and Sourcegraph license keys for a subset of customers, as well as the email addresses of Sourcegraph community users.
“We have no indication that any of this data was viewed, modified, or copied, but the malicious user could have viewed license key recipients’ emails and community user email addresses as they navigated the admin dashboard,” Sourcegraph says.
On the admin dashboard page providing access to paid customer license keys, the malicious user could only view the first 20 license key items and Sourcegraph was able to quickly determine which items were viewed. These keys do not provide access to customer instances, the platform underlines.
“Customers’ private data or code was not viewed during this incident. Customer private data and code resides in isolated environments and were therefore not impacted by this event,” Sourcegraph notes.
Immediately after identifying the incident, the platform fully revoked the malicious user’s access, rotated the Sourcegraph customer license keys that might have been viewed, temporarily reduced the rate limits for all free community users, and continued to monitor for suspicious activity.
Related: 500k Impacted by Data Breach at Fashion Retailer Forever 21
Related: 10 Million Likely Impacted by Data Breach at French Unemployment Agency
Related: University of Minnesota Confirms Data Breach, Says Ransomware Not Involved