Cyber Incident Victim: Flood.io

On July 3, 2020, hackers exploited a blind SQL injection vulnerability in Waydev, a Git analytics platform, to infiltrate its internal database and steal GitHub and GitLab OAuth tokens. These tokens, used by Waydev customers to integrate their code repositories with the analytics service, allowed attackers to pivot to external systems. GitHub’s security team detected anomalous activity linked to a customer’s Waydev token, prompting an investigation that revealed the breach. Waydev immediately patched the vulnerability upon discovery and collaborated with GitHub and GitLab to revoke compromised tokens, delist original OAuth applications, and issue replacements to invalidate attacker access. The company confirmed hackers accessed only a limited subset of customer codebases but did not disclose the exact number of affected organizations.

The stolen tokens facilitated subsequent breaches at multiple companies, including financial service provider Dave.com and software testing platform Flood.io, both of which publicly attributed their July 2020 security incidents to the Waydev compromise. Waydev notified U.S. authorities and shared attacker indicators—such as IP addresses, email addresses, and user-agent strings—to assist customers in log reviews. Post-incident, Waydev implemented stricter security controls, including manual account approvals, continuous activity monitoring, and periodic token resets. The company directed users to its support portal for additional guidance but did not specify whether customer data beyond code repositories was exposed. No further details regarding Flood.io’s specific compromise scope or operational disruptions were disclosed in the available reporting.