On August 30, 2023, a malicious actor gained unauthorized access to specific Sourcegraph(.)com data through a leaked admin access token.
Sourcegraph is a code AI platform that makes it easy to read, write, and fix code–even in big, complex code bases.
In a recent notice, Sourcegraph confirmed that a security breach occurred, but only limited data was accessed:
– For the Paid Customers: The attacker accessed the license key recipient’s name and email address. A subset of Sourcegraph license keys may have been accessed; affected customers will be contacted to rotate their license keys.
– For the Community Users: Only Sourcegraph account email addresses were accessed, and no further action is required from these users.
“No other sensitive customer information such as private code, emails, passwords, or usernames was compromised,” said Diego Comas, the Head of Security of Sourcegraph.
Substantial Increase in API usage
On August 30, 2023, Sourcegraph’s security team detected a substantial increase in API usage on Sourcegraph.com, leading to an investigation.
It was determined that an admin access token accidentally leaked in a code commit on July 14, 2023, and was exploited by a malicious external user.
This token allowed the attacker to impersonate a user and gain access to the administrative console.
Attack Timeline
July 14, 2023: A Sourcegraph engineer inadvertently committed a code change containing an active site-admin access token.
August 28, 2023: A new Sourcegraph account was created.
August 30, 2023: Using the leaked token, the attacker elevated their account privileges to a site admin and accessed the admin dashboard.
– The attacker alternated between site admin and regular user privileges.
– A proxy app allowed users to abuse Sourcegraph’s APIs and rate limits.
Impact of the Attack
The unauthorized admin access led to the creation of a proxy app that attracted a significant number of users, generating nearly 2 million views.
While there’s no evidence that accessed data was viewed, modified, or copied, the malicious user could have viewed license key recipient emails and community user email addresses while navigating the admin dashboard.
Regarding paid customer license key exposure, it was limited to viewing the first 20 license key items due to stable sorting. Importantly, no customer private data or code was affected, as it resides in isolated environments.
Sourcegraph Actions Following Incident
Promptly upon understanding the scope of the incident, Sourcegraph took the following actions:
Identified the malicious account and fully revoked its access.
Proactively rotated license keys for affected customers.
Temporarily reduced rate limits for all free community users.
Implemented new processes and tests to monitor for malicious activity and abuse.
Expanding secret scanning through additional static analysis tests to prevent similar leaks in the future.
Sourcegraph teams are actively working on a long-term solution to prevent future incidents.