German automotive corporation Mercedes-Benz accidentally exposed its source code after leaving a GitHub access token online, TechCrunch reported.
The leak was discovered by researchers from cybersecurity firm RedHunt Labs after they found a Mercedes employee’s authentication token in a public GitHub repository that gave full access to Mercedes’s GitHub Enterprise Server and the company’s private source code repositories.
These repositories contained a trove of sensitive information such as intellectual property, including “connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information,” the researchers said. The exposed repositories contained Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code.
After having been informed of the leak, Mercedes-Benz revoked the respective API token and removed the public repository immediately. As per the company’s spokesperson, the incident was caused by a human mistake. It’s unclear whether the customer data was exposed in the incident or whether the exposed data was accessed by a third-party.