Documentation startup Mintlify says dozens of consumers had GitHub tokens uncovered in an information breach firstly of the month and publicly disclosed final week.

Mintlify helps builders create documentation for his or her software program and supply code by requesting entry and tapping instantly into the shopper’s GitHub supply code repositories. Mintlify counts fintech, database and AI startups as prospects.

In a weblog publish Monday, Mintlify blamed its March 1 incident on a vulnerability in its personal programs, however stated 91 of its prospects had their GitHub tokens compromised in consequence.

These personal tokens enable GitHub customers to share their account entry with third events apps, together with corporations like Mintlify. If these tokens are stolen, an attacker might receive the identical stage of entry to an individual’s supply code because the token permits.

“The customers have been notified, and we’re working with GitHub to establish whether or not the tokens have been used to entry personal repositories,” Mintlify co-founder Han Wang wrote in a weblog publish.

Information of the incident grew to become public final week when some customers on Reddit and Hacker Information commented after getting an e-mail from Mintlify on Friday concerning the incident, days after the corporate’s weblog publish initially advised prospects that “no additional motion is required in your half.”

In a publish discussing the breach on Hacker Information, Wang stated a vulnerability in its programs was leaking the corporate’s inner admin credentials to prospects. These credentials might then be used to entry the corporate’s inner endpoints to entry different unspecified delicate consumer data, Wang stated.

Wang stated that the corporate was within the technique of deprecating the usage of personal tokens “to stop an incident like this from ever taking place once more.”

Whereas the weblog publish describes the one who found the vulnerability as a bug bounty reporter, the corporate’s co-founder Wang described the occasions as malicious.

“The targets of this assault have been GitHub tokens of our customers,” Wang advised TechCrunch by e-mail.

“Investigations with one impacted buyer revealed that the leaked token was probably not utilized by the attacker. We’re at the moment working with GitHub and our prospects to uncover if any of the opposite tokens have been utilized by the attacker,” Wang stated.