Over 500 accounts believed to be affected as police issue security advisory
South Korea’s national police said Tuesday they had launched an investigation after confirming that a large number of personal access tokens that could be used to access private GitHub repositories had been exposed.
GitHub, a Microsoft-owned software development platform, allows companies and developers to store, manage and share source code. Personal access tokens, or PATs, are credentials used to authenticate users and grant access to repositories and other resources.
More than 500 accounts are believed to have been affected, according to local daily Chosun Ilbo.
Police warned that attackers could use the exposed tokens to obtain source code or internal information related to critical systems. Such information could then be used in further attacks or to steal personal data and confidential business information.
The National Office of Investigation at the National Police Agency issued a security advisory outlining urgent measures to prevent further damage.
Police also notified Microsoft, Interpol and companies whose accounts were affected, recommending that they take additional security measures.
Individuals and companies were advised to review access logs for suspicious activity over the past three months. Those who detect signs of unauthorized access should immediately revoke the exposed tokens and generate new ones, police said.
The advisory also recommended enabling two-factor authentication, limiting access privileges, avoiding the storage of credentials in source code, activating secret-scanning features and using IP allow-lists.
Police urged companies to conduct security checks on computers used by developers.
GitHub said it had revoked the exposed tokens and alerted affected users.
“This is a case in which attackers targeted not only corporate information and communications networks but also development infrastructure,” said Park Woo-hyun, a senior cyber investigation official at the NPA.
“We ask companies to report the matter immediately if they have suffered damage or detect any signs of a possible breach.”







