GitHub says hackers stole data from thousands of internal repositories

TechCrunch10 h ago

A server room with blue lighting and network cables — Photo: panumas nikhomkhai / Pexels

GitHub, the world's largest code hosting platform and owned by Microsoft, announced on Tuesday that it is investigating a cybersecurity breach. The company confirmed that hackers exfiltrated data from thousands of internal GitHub repositories, while emphasising there is no evidence of access to customer code or customer databases.

GitHub's Information Security team first detected the breach on the morning of 17 May. Unusual network traffic patterns were flagged by automated monitoring systems. The preliminary review established that the attacker had gained unauthorised access to GitHub's own internal GitHub Enterprise servers.

GitHub's Chief Security Officer, Mike Hanley, wrote in a blog post: 'The attacker copied source code, internal documentation and a quantity of build scripts from thousands of repositories on our internal side. The most important point we wish to underline: there is no evidence of any access to customer repositories, customer account information, or SDK secrets used to run GitHub Actions.'

The scope of the breach is currently under investigation. Affected internal repositories include the web platform code, mobile app source code, documentation, internal tooling and the prompt architecture of the Copilot AI assistant. According to GitHub, Microsoft Azure or Windows code are not within the scope of this breach — Microsoft's own internal GitHub Enterprise instances are hosted on different infrastructure.

Cybersecurity experts are questioning the significance of the breach. GitHub's own code was not contributing to open source, but some build scripts and test tooling could be valuable information to competitors. Architectural insights could simplify understanding how GitHub works; that may indirectly affect customers' security.

The source of the attack has not yet been identified. The GitHub Threat Intelligence team has not pointed at specific actor types such as Russian-state actors or Chinese-state actors. But the sophisticated nature of the breach and the target selection raise suspicion of a state-backed group. Technical signatures from the attack will become clearer at later stages of the investigation.

GitHub announced that it had immediately notified federal law enforcement and was working with the FBI. The Microsoft Security Response Center (MSRC) is also involved in the incident. Credentials and API keys in the affected repositories have been provisionally revoked and rotated.

As a precaution for customers, GitHub recommends that all users ensure two-factor authentication (2FA) is enabled. Developers using Personal Access Tokens are advised to rotate (refresh) those tokens. GitHub Enterprise customers are asked to review external-IP audit logs.

The impact of the breach on GitHub's share price is limited because GitHub is not a separately listed public company — Microsoft bought GitHub for $7.5 billion in 2018. Microsoft's share price fell 1.2 percent before the market open on Wednesday following publication of the breach.

Overall, the cybersecurity community has welcomed GitHub's transparency in disclosing the incident. According to Verizon's annual Data Breach Investigations Report, organisations typically take an average of 56 days to disclose breaches; GitHub making the incident public within three days is well below the industry average. The event is a serious wake-up call for enterprise code hosting; similar risks apply to GitLab, Bitbucket and other platforms.

This article is an AI-curated summary based on TechCrunch. The illustration is a stock photo by panumas nikhomkhai from Pexels.