The Ultimate Guide to Non-Human Identities Report Now Available

GitHub Personal Account Breach

NHI Mgmt Group

Overview

On December 6, 2022, GitHub identified a security breach where an unauthorized actor accessed repositories from GitHub Desktop, Atom, and other deprecated GitHub-owned organizations. The breach occurred due to the compromise of a Personal Access Token (PAT) associated with a machine account. This token allowed the attacker to clone these repositories, which contained encrypted code-signing certificates critical for validating software authenticity.

What Happened?

On December 6, 2022, an unauthorized actor exploited a compromised Personal Access Token (PAT) belonging to a machine account. This breach allowed the actor to clone repositories from Atom, GitHub Desktop, and other deprecated GitHub-owned projects. Among the cloned repositories were several encrypted code-signing certificates, used to verify the authenticity of software distributed via GitHub.

The breached certificates included:

  • Two DigiCert code-signing certificates for Windows.

  • One Apple Developer ID certificate valid until 2027.

While the certificates were password-protected, their exposure posed a significant risk. If decrypted, attackers could use them to sign malicious software, falsely presenting it as legitimate GitHub applications.

GitHub’s Response

GitHub acted swiftly to mitigate the potential impact:

  1. Credential Revocation: The compromised PAT was revoked on December 7, 2022, limiting further access.

  2. Certificate Invalidation: By February 2, 2023, GitHub revoked the compromised certificates, rendering impacted application versions non-functional unless updated.

  3. Secure Updates: GitHub released new versions of GitHub Desktop and Atom, signed with fresh certificates, ensuring the integrity of their software going forward.

Impact

  • GitHub Desktop: Mac versions from 3.0.2 to 3.1.2 became non-functional post-certificate revocation. Users were required to update to newer versions signed with new certificates.

  • Atom: Versions 1.63.0 and 1.63.1 were impacted, necessitating users to downgrade to older versions.

Recommendations

For Users:

  • Immediately update affected GitHub Desktop and Atom applications to secure versions.

  • Regularly monitor application updates for security patches.

For Organizations:

  • Implement automated certificate lifecycle management to safeguard digital identities.

  • Employ robust access control measures to protect machine accounts and sensitive credentials.

  • Continuously monitor and audit system activities to detect unauthorized access promptly.

Conclusion

This incident serves as a wake-up call for the software industry. As supply chain attacks grow in sophistication, the need for robust identity management and secure development practices has never been greater.

GitHub’s decisive actions helped mitigate the immediate risks, but the event underscores an enduring truth: security is not a one-time effort but a continuous process. By adopting a proactive and transparent approach, organizations can not only protect their ecosystems but also foster greater trust with their users.

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is the #1 Authority for research and education on Non-Human Identity risks. We provide Independent guidance and expert advice to organizations, helping them understand, manage and secure these huge risks effectively.

Subscribe to our Newsletter

Subscribe

© 2024