[johnwards]

I'm pretty sure that Circle uses the oAuth api to checkout repos, the deploy key part on github they use for their deployment feature.

If the attacker has a bunch of tokens, could they have bulk downloaded source code before the oAuth stuff was revoked by Circle?

https://github.com/blog/1270-easier-builds-and-deployments-u...