Hacker News new | ask | show | jobs
by jeremymcanally 1511 days ago
The bigger question to me is how did they leverage a GitHub OAuth token to gain access to an internal database unless they're storing that config in their codebase.

If that's the case...yikes.
1 comments
jeremyjh 1511 days ago
They didn’t say that happened. I’m reading it as their DB was compromised and it’s contents included GH auth tokens.
link
jeremymcanally 1511 days ago
How do you read this as the database had tokens in it?

> Separately, our investigation also revealed that the same compromised token was leveraged to gain access to a database...

EDIT: Ah yep you're right. Two tokens in play there: one Heroku API token, one GitHub token. Phew.

link