On July 14, Koreaโ€™s National Office of Investigation (NOI), part of the Korean National Police Agency, confirmed that over 500 personal access tokens (PATs) used to sign in to GitHub had been leaked, and issued an urgent security advisory. Once such a token is handed over, an attacker can reach private repositories without knowing the ID or password โ€” putting source code, corporate secrets, and personal data at risk together. If you are a developer or a company, the safe move is to check your access logs right now and reissue your tokens. Today we lay out what happened and how to respond. ๐Ÿ”

TL;DR

  • The NOI confirmed a leak of over 500 GitHub personal access tokens (PATs) and distributed a security advisory on July 14.
  • A PAT grants access to private repositories without an ID or password, so a leak can lead to theft of source code and corporate information.
  • The core guidance: review access logs from the past 1โ€“3 months, and if you see signs of compromise, immediately revoke and reissue the affected tokens.

๐Ÿšจ What Happened?

Access credentials for GitHub accounts leaked in bulk. On July 14, Koreaโ€™s National Office of Investigation said it had confirmed that a large number of personal access tokens (PATs) used to sign in to GitHub were leaked, and that it is investigating. So far, about 500 accounts are known to have had their access credentials exposed; of those, 370-plus accounts across 54 countries have had their nationality identified, including roughly 30 domestic (Korean) accounts. The nationality of the remaining accounts is not yet confirmed.

The trail began with a separate cybercrime case. Police discovered that a suspect in an unrelated investigation was holding another personโ€™s GitHub token, which surfaced the leak; they identified it on July 9.

๐Ÿ”‘ What Exactly Is a Personal Access Token (PAT)?

A personal access token is an authentication method used to reach private repositories or to sign in to GitHub from the command line and automation tools. It effectively acts as a key that stands in for an ID and password โ€” and that is precisely what makes this leak dangerous.

Once a single line of token reaches an attackerโ€™s hands, they can access repositories without knowing the accountโ€™s ID or password. The attacker can obtain not only the source code stored in the repository but also any other system access details written inside that code, widening the intrusion into a companyโ€™s core systems. In other words, a single leaked token can lead straight to theft of source code, corporate secrets, and personal data.

๐Ÿ›ก๏ธ How Did GitHub and the Police Respond?

After confirming the leak, police promptly notified Microsoft, which operates GitHub, and shared information with Interpol. GitHub told police it had completed the necessary security measures, including revoking the leaked tokens and warning the affected users.

To prevent further damage, police distributed a security advisory to domestic companies and developers. Even with the operatorโ€™s measures done, an individual userโ€™s own check is a separate matter โ€” so you still need to verify your access logs and token status yourself.

โœ… What Should You Do Now?

The most urgent steps are checking access logs and reissuing tokens. Here is the police guidance, in order.

First, check whether there has been any abnormal access over the past 1โ€“3 months, and if you see signs of compromise, immediately revoke the existing personal access token and issue a new one. On top of that, apply multi-factor authentication (MFA) to access privileges, and narrow each accountโ€™s permissions to the minimum. Not writing key system access details (passwords, keys, tokens, and the like) directly into source code is another basic rule. Finally, regularly check the security state of developer PCs to prevent the device holding the token from being breached first.

๐Ÿ“ Wrap-Up

This incident lays bare a trait of development environments where a single โ€œtoken,โ€ not an ID and password, becomes the key to an entire account. With the leak spanning over 500 accounts โ€” roughly 30 of them domestic โ€” and the source code inside repositories along with the access details written into it potentially exposed, this is not something to take lightly. Even with steps taken by the operator and the police, checking individual accounts ultimately falls to the user, so it is best not to put off reviewing access logs, reissuing tokens, and applying multi-factor authentication.

โ€ป This article is a security notice written for informational purposes.

Sources