AI-powered coding platform Sourcegraph revealed that its website was breached this week using a site-admin access token accidentally leaked online on July 14th.
An attacker used the leaked token on August 28th to create a new site-admin account and log into the admin dashboard of the company’s website, Sourcegraph.com, two days later.
The security breach was discovered the same day after Sourcegraph’s security team observed a significant increase in API usage, described as “isolated and inorganic.”
After gaining access to the website’s admin dashboard, the threat actor switched their rogue account’s privileges multiple times to probe Sourcegraph’s system.
“Our security team identified a code commit from July 14 where a site-admin access token was accidentally leaked in a pull request and was leveraged to impersonate a user to gain access to the administrative console of our system,” Sourcegraph’s Head of Security Diego Comas disclosed on Wednesday.
“The malicious user, or someone connected to them, created a proxy app allowing users to directly call Sourcegraph’s APIs and leverage the underlying LLM. Users were instructed to create free Sourcegraph.com accounts, generate access tokens, and then request the malicious user to greatly increase their rate limit,” Sourcegraph’s
Private code and credentials were not exposed
During the incident, the attacker gained access to Sourcegraph customers’ information, including license keys, names, and email addresses (free-tier users had only their email addresses exposed).
No further customer information sensitive data, such as private code, emails, passwords, usernames, or other personally identifiable information (PII), was exposed in the attack, according to Comas.
“There is no indication that any of your personal information was modified or copied, but the malicious user could have viewed this data as they navigated the admin dashboard,” Comas said in emails sent to potentially affected users.
“Customers’ private data or code was not viewed during this incident. Customer private data and code resides in isolated environments and were therefore not impacted by this event.”
After discovering the security breach, Sourcegraph deactivated the malicious site-admin account, temporarily reduced API rate limits applicable to all free community users, and rotated the license keys that could have been potentially exposed in the attack.
With a global user base exceeding 1.8 million software engineers, Sourcegraph’s client roster includes high-profile companies like Uber, F5, Dropbox, Lyft, Yelp, and more.