ConsenSys affected by stolen OAuth attack campaign
We were alerted by GitHub to a security issue, which would allow an unauthorized third party to gain access to and clone GitHub repositories using Travis-CI applications, an integrator commonly used for code testing and development. As a user of Travis-CI, we immediately initiated an investigation to determine whether this event has impacted our customers. Upon review, we believe a small number of our professional services customers may have been impacted and we have taken immediate steps to both communicate with those customers and where and if relevant, undertake any precautionary measures such as refreshing any security tokens or API keys.
No private information related to MetaMask was made available and the Infura service has not been impacted. Further, we don’t have any reason to believe any customer business or personally identifiable data is impacted by the Github issue at this time, only code.
We take the security of our customers’ code and information very seriously, and will continue to work closely with them on this matter and update them as our investigation proceeds. Consensys customers can contact us if they have questions at [email protected]. We urge all others to immediately review their own Github repositories to evaluate whether or not this issue has impacted their own repositories.
Update May 17, 2022 on the OAuth attack campaign
These are the series of events that led to the OAuth attack campaign and our response. (All dates in EST time zone):
- April 12, GitHub Security discovered that a 3rd party abused oAuth user tokens (authorization tokens) granted to Travis-CI and Heroku to download data from dozens of organizations, including Github. The attacker uses a compromised AWS API key to access npm production infrastructure, included in the breached data (Source: Github security update)
- Apr 13 and Apr 14, Github notified Travis-CI and Heroku of the findings.(Source: Github security update)
- Apr 18, 2022 at 5:17 PM, ConsenSys received a notification from Github advising that ConsenSys was affected by the breach
- Apr 18, 2022 at 07:02 PM, ConsenSys disables the compromised Travis-CI integration, and starts the investigation using the organizational security incident response procedures. Credentials of core ConsenSys infrastructure were rotated preventively .
- Apr 19, 2022 at 02:19 am, ConsenSys confirmed that a data breach occurred after reviewing the logs from the platform, and a copy of the logs requested from GitHub security. The security incident response is escalated, and teams from all organizational areas mobilized to assist in managing the incident, prioritizing the discovery of code secrets included in the stolen code that could be used by 3rd parties to illegally access ConsenSys or its customer’s infrastructure.
- Apr 20, 2022. ConsenSys starts to progressively notify affected customers about the breach after reviewing each repository, and confirming unauthorized access.
- Apr 21, 2022. ConsenSys engages a forensics consultancy to assist in identifying sensitive information, and perform an in-depth discovery of secrets in code.
- Apr 22, 2022 . ConsenSys notifies the public of the breach https://consensys.net/blog/news/consensys-affected-by-stolen-oauth-attack-campaign/
After Apr 22, 2022, ConsenSys continued to :
- Scan breached repositories to identify and remediate sensitive information breached, including code secrets;
- Notify and collaborate with customers affected by the data breach,
- Contact national security organizations and vendor security teams to collaborate and respond to this global threat;
- Review and audit the ConsenSys core infrastructure, to implement security improvements.
As of May 16, 2022, our developers have rotated secrets found in code, and as a result, we believe that there are no outstanding high risks associated with credential loss. ConsenSys will remain vigilant and continue to monitor for any subsequent activity arising from this breach.
ConsenSys would like to acknowledge the quick response and assistance from Github, US security agencies, clients, vendor and incident response partners, customers and internal personnel who have gone beyond duty to assist in this incident response.