In March 2024, I got a crash course in third-party OAuth risk when my company's private GitHub repos were cloned and republished by an attacker. The vector: a security incident at Mintlify, a YC-backed documentation platform.
What happened to me:
On March 1st, I noticed someone had accessed my Mintlify dashboard and changed my documentation repository settings. Within hours, all my private repos had been forked and republished publicly. The attacker had used my GitHub access token — which Mintlify stored to sync documentation from my repos.
I reported it immediately. Mintlify's team (shoutout to Hahnbee) was responsive and worked through the weekend to revoke tokens, patch endpoints, and lock things down.
The bigger picture:
Mintlify published a full incident report: mintlify.com/blog/incident-march-13
The short version: attackers gained access to admin tokens, which led to 91 GitHub tokens being compromised. They confirmed at least one customer's repository was accessed using those tokens (that was me). They responded by:
- Revoking all GitHub tokens
- Rotating internal secrets
- Partnering with a cybersecurity firm (Oneleet)
- Re-auditing their SOC 2 certification
Credit where it's due — they handled the response professionally and were transparent about what happened.
Why I'm posting this:
Not to bash Mintlify. Breaches happen, and their response was solid. But this incident changed how I think about OAuth integrations.
When you connect a docs platform to your GitHub, you're granting read access to your repos. Most of us click "Authorize" without thinking twice. I certainly did. The convenience of auto-syncing docs from your repo comes with real risk if that platform gets compromised.
After the incident, I spent a few weeks building my own free alternative (https://vellocs.dev) — partly as a learning exercise, partly because I wanted more control over what has access to my repos.
Takeaways:
- Audit your OAuth connections regularly —
github.com/settings/apps/authorizationsshows everything you've authorized - Principle of least privilege — Does that docs tool really need access to all your repos, or just one?
- Incident response matters — Mintlify's transparency post-breach was actually reassuring. A company that hides breaches is scarier than one that discloses them.
Anyone else been caught in a third-party breach like this? Curious how others think about OAuth risk.
[link] [comments]
from hacking: security in practice https://ift.tt/HwcLWIO
Comments
Post a Comment