Mintlify, a documentation startup, disclosed a data breach that exposed GitHub tokens belonging to dozens of customers at the beginning of the month. The incident was publicly revealed last week.
Mintlify assists developers in creating documentation for their software and source code by accessing customers’ GitHub repositories. The company’s clientele includes fintech, database, and AI startups.
Attributing the March 1 incident to a vulnerability in its own systems, Mintlify disclosed that 91 customers had their GitHub tokens compromised.
GitHub tokens are essential for users to grant account access to third-party apps like Mintlify. If these tokens are stolen, the attacker gains access to the same privileges as the token allows.
Co-founder Han Wang explained in a blog post that affected users have been notified, and Mintlify is collaborating with GitHub to determine if the tokens were used to access private repositories.
Following the incident, some users on Reddit and Hacker News shared their experiences after receiving an email from Mintlify, despite the initial blog post claiming no further action was necessary.
In a post on Hacker News, Wang revealed that a system vulnerability exposed the company’s internal admin credentials to customers, potentially granting access to sensitive user information.
Mintlify is taking steps to discontinue the use of private tokens to prevent similar incidents in the future. Wang characterized the breach as malicious, although initially referred to the discoverer of the vulnerability as a bug bounty reporter.
In communication with TechCrunch, Wang stated that investigations with one affected customer indicated that the leaked token was likely not utilized by the attacker. Mintlify is actively working with GitHub and customers to ascertain if other tokens were exploited.
