A GitHub token leak compromised Mercedes-Benz’s source code, revealing critical internal information including intellectual property, passwords, and cloud access keys.
The breach was traced back to a Mercedes-Benz employee’s GitHub token, found in a public repository on September 29. RedHunt Labs researchers determined that this token provided unrestricted access to the car manufacturer’s internal GitHub Enterprise Server.
Sensitive data exposed in the leak included database connection strings, cloud access keys, blueprints, design documents, single sign-on (SSO) passwords, API keys, and other vital internal details, according to the RedHunt Labs report.
The vulnerability posed by the leaked token could have enabled cyber attackers to mine Mercedes’ source code for valuable intellectual property, reports, files, credentials, and more, posing a significant security threat.
Although the token was initially leaked in September, it wasn’t discovered by researchers until January 11th, with Mercedes revoking the token on January 24th. This delay suggests that unauthorized access to Mercedes’ GitHub Enterprise Server could have occurred undetected over several months.
“The exposure of the GitHub token linked to Mercedes-Benz’s GitHub Enterprise Server could potentially allow adversaries to access and exfiltrate the organization’s entire source code. Such access poses the risk of revealing highly sensitive credentials, potentially leading to a severe data breach against Mercedes-Benz,” the researchers warned.
Mercedes-Benz, a leading premium vehicle brand under Mercedes-Benz Group AG, boasts annual revenues surpassing €133 billion (USD 144 billion) and employs more than 170,000 people worldwide.
 passwords, API keys, and other vital internal details, according to the RedHunt Labs report.){kind=link}