Security incident on DeepSource’s GitHub application

On July 11th, around 5AM UTC, DeepSource was notified by the GitHub Security Team that they were tracking potentially malicious activity related to the DeepSource Github application.

The GitHub Security team had observed a large number of requests from unusual IP addresses for many distinct DeepSource users starting in mid-June, which stood out as anomalous. At this time, GitHub wasn’t sure about the source of the compromise.

By 7AM UTC, we had rotated all user tokens, client secrets and private keys. Since we didn’t know the origin of the attack, we also rotated all credentials and keys of employees who had access to production systems. Through internal investigation, we have not identified any unusual breach or behaviour, and have concluded that the DeepSource infrastructure has not been breached.

On July 16, 2020 around 1:45 AM UTC, GitHub Security team got back to us with more information that could help identify the source of compromise. One of our employee’s GitHub account was compromised by the Sawfish phishing campaign that targeted GitHub users - and the attacker gained access to DeepSource GitHub app’s credentials.

Unfortunately, GitHub’s privacy policy prevents them from sharing the affected user list with us, so we are disclosing this issue publicly while waiting for GitHub to complete their investigation. Our understanding is GitHub will notify the directly affected users as per their policies. You should visit https://support.github.com/contact?subject=GH-0000502-3963-3+Log+Request&tags=GH-0000502-3963-3 and request logs from GitHub regarding repository downloads and other account activity to find any suspicious activity.

We’re always looking for ways to improve our security. From the moment we were first notified by GitHub, we involved industry security advisors. We have formed policies to conduct periodic security training and phishing drills for all employees, and will update these policies as necessary. Additionally we have started work towards gaining the SOC 2 Type 2 compliance certification, which will provide a path for third party auditors to ensure that DeepSource’s security practice exceeds industry standards. In the near future, we will be launching a security bug bounty program to provide the best security testers in the world with a chance to probe DeepSource for any weaknesses.

We have always taken great care to ensure DeepSource meets the security needs of our users. While the DeepSource application itself did not suffer a weakness in this situation, we are taking the steps listed above to ensure the security of our applications, our teams, and your data.

We appreciate GitHub’s swift response to this issue. Comments are disabled on this post due to the sensitive nature of it. If you have any questions, please reach out to us privately at security@deepsource.io and we will assist you in every way we can.

Note: We’ve notified all our users via e-mail with the same note on 20th July, 2020 around 10:40 PM UTC.