After an employee leaked a GitHub access token, Mercedes-Benz’ source code stored on its GitHub Enterprise server was left exposed for several days. The token, discovered on January 11th, 2024, during a routine internet scan, provided unrestricted access to the source code.
Mercedes revoked the API token as soon as it was notified of the breach on January 24th. Here are some more details on what went down.
Months-Long Exposure Before Detection
The breach occurred on September 29th, 2023 but was not detected until January 11th, 2024. Mercedes revoked the compromised token on January 24th after being notified of the incident by cybersecurity firm RedHunt Labs. For nearly 4 months, attackers could have downloaded proprietary blueprints, design documents, source code, and other critical data.
Significant Business Impacts Beyond IP Loss
According to RedHunt, the breach could have significant financial, legal, and reputational consequences for Mercedes beyond just loss of intellectual property. Access to source code also risks exposure of hardcoded credentials and other sensitive information that could enable further data breaches.
This incident highlights the ongoing risks associated with accidental credential leaks in public code repositories. Earlier in January, GitHub preemptively rotated credentials after discovering a vulnerability that could have allowed access to private data.
Company Acknowledges Severity of Breach
Mercedes acknowledged the severity of this breach and has taken steps to revoke the leaked token. However, the long exposure period raises serious questions around the company's security practices and risk management strategies for public cloud assets. Proper secrets management and governance controls may have prevented or quickly detected this breach.
It’s unclear if the employee leaked the token on purpose or by accident, but the way Mercedes responded to the breach is worth noting. It took care of it just two days after it was notified.