Attackers have stolen from Waydev GitHub and GitLab OAuth tokens

Developers of the analytical web platform Waydev said that unknown cybercriminals have stolen from their company GitHub and GitLab OAuth tokens.

Earlier this week, there was a data breach of the financial and technical unicorn company Dave. Data of 7,516,625 users leaked into the network, including real names, phone numbers, email addresses, dates of birth, home addresses, as well as encrypted passwords and social security numbers.

“The leak was caused by a former business partner of the company, the analytical platform Waydev. Due to Waydev’s negligence, attackers were able to gain unauthorized access to Dave’s user data”, – said later Dave representatives.

Now the Waydev developers have confirmed that earlier this month, unknown hackers have stolen the company’s GitHub and GitLab OAuth tokens.

The fact is that the Waydev platform is used to monitor the results of the work of software developers by analyzing the Git codebases. For this, Waydev has a dedicated app on GitHub and GitLab. When users install this application, Waydev receives an OAuth token that can be used to access clients’ projects on GitHub or GitLab. Waydev stores tokens in its database and uses them daily to generate analytical reports for clients.

“Hackers discovered a vulnerability and performed SQL injection to get to Waydev database and steal tokens. The attackers then used the tokens to navigate to codebases of other companies and gain access to their projects”, – said Waydev representatives.

The company says it discovered the attack on July 3, 2020 and fixed used by the attackers vulnerability on the same day. Waydev engineers also worked with GitHub and GitLab to revoke all affected OAuth tokens.

Let me also remind you that previously unknown hackers compromised Canonical account on GitHub.

Waydev is now confident that hackers have gained access to codebases of a small number of customers. So, so far only two victims are known – the already mentioned Dave company and the Flood.io software testing service.

Now the company is investigating the incident together with law enforcement agencies and information security experts from Bit Sentinel.

To make it easier for potential victims to detect suspicious activity, Waydev representatives have already released indicators of compromise associated with unknown attackers, including email addresses, IP addresses and user agent.

• IP addresses: 169.245.24, 185.230.125.163, 66.249.82.0, 185.220.101.30, 84.16.224.30, 185.161.210.xxx, 151.80.237.xxx, 185.161.210.xxx, 81.17.16.xxx, 190.226 .217.xxx, 186.179.100.xxx, 102.186.7.xxx, 72.173.226.xxx, 27.94.243.xxx.
• User agent: Mozilla/5.0 (X11; Linux x86_64; rv: 68.0) Gecko/20100101 Firefox/68.0
• Email addresses: saturndayc@protonmail.com, ohoussem.bale6@sikatan.co, 5abra.adrinelt@datacoeur.com and 4monica.nascimene@vibupis.tk.

By the way, do you remember that GitHub imposes sanctions on accounts of developers from Iran, the Crimea and Syria?