Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev

OAuth tokens have been abused for intrusions at least two other companies, Dave.com and Flood.io.
Written by Catalin Cimpanu, Contributor
Git source code
Image: Yancy Min

Waydev, an analytics platform used by software companies, has disclosed a security breach earlier this month.

The company says that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database.

Hackers pivoted from Waydev to other companies

Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers' work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores.

When users install the app, Waydev receives an OAuth token that it can use to access its customers' GitHub or GitLab projects. Waydev stores this token in its database and uses it on a daily basis to generate analytical reports for its customers.

Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens.

The hackers then used some of these tokens to pivot to other companies' codebases and gain access to their source code projects.

GitHub's security team discovered the breach

Circei said Waydev learned of the breach after one of its customers was contacted by GitHub's security team after GitHub detected suspicious activity originating from the customer's Waydev token.

The Waydev CEO told ZDNet they learned of the attack on July 3 and patched the vulnerability exploited by attackers on the same day. They also worked with GitHub and GitLab to delist their original apps, revoke all affected OAuth tokens, and create new OAuth apps -- effectively invalidating the hacker's access to Waydev customers' GitHub and GitLab accounts.

Circei says that based on current evidence, the hackers appear to have gained access only to a small subset of its customer codebases.

At the time of writing, two companies have reported security breaches this month and blamed the incident on Waydev -- loan app Dave.com and software testing service Flood.io.

Waydev said it also notified US authorities about the security breach.

"Due to GitHub's privacy policy, they will inform the affected users personally," Waydev said. "If you were affected by the attackers please contact us at security@waydev.co in order to connect you with the authorities."

Circei said they're also working with cyber-security firm Bit Sentinel on investigating the breach, and that they also deployed additional security protections to Waydev accounts, such as:

  • Manual access - It is now impossible to create an account without approval from our security team;
  • Monitoring all the activity;
  • Tokens resetting two times a day;
  • Reported the incident to authorities.

Hackers' details

In a rare case of transparency, Waydev also released indicators of compromise associated with the hackers -- such as email addresses, IP addresses, and user-agent strings -- something that companies rarely do nowadays.

  • IP Addresses of the hacker:,,,,, 185.161.210.xxx, 151.80.237.xxx, 185.161.210.xxx, 81.17.16.xxx, 190.226.217.xxx, 186.179.100.xxx, 102.186.7.xxx, 72.173.226.xxx, 27.94.243.xxx
  • User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
  • Email addresses: saturndayc@protonmail.com, ohoussem.bale6@sikatan.co, 5abra.adrinelt@datacoeur.com, 4monica.nascimene@vibupis.tk

The indicators of compromise, along with instructions for Waydev customers on how to search their logs for the hacker's presence, are available in this Waydev support page.

These are 2018's biggest hacks, leaks, and data breaches

Editorial standards