Skip to content
Snippets Groups Projects
Commit 39d909ab authored by Kathy Wang's avatar Kathy Wang
Browse files

Update 2018-03-26-summary-of-limited-gitlab-credentials-exposed.html.md

parent cea77c5f
No related branches found
No related tags found
1 merge request!10738Summary of Limited GitLab Credentials Exposed post
Pipeline #
......@@ -10,7 +10,7 @@ description: "Summary of Limited GitLab Credentials Exposed in an Internal Loggi
 
## Summary
 
From 19 February 2018 to 19 March 2018, some GitLab.com personal access tokens and third party credentials were inadvertently exposed publicly via a unprotected logging dashboard. The affected users represent approximately 0.5% of our GitLab.com user base. While the dashboard was originally protected from unauthorized access, a recent configuration change made this internal system publically accessible.
From February 19, 2018 to March 19, 2018, some GitLab.com personal access tokens and third party credentials were inadvertently exposed publicly via a unprotected logging dashboard. The affected users represent approximately 0.5% of our GitLab.com user base. While the dashboard was originally protected from unauthorized access, a recent configuration change made this internal system publically accessible.
 
<!-- more -->
 
......@@ -38,7 +38,7 @@ GitLab uses an OAuth proxy service to authenticate all access to our internal lo
 
There is no evidence of user credential abuse. However, the audit logs for the dashboard only cover seven of the thirty days in question. The only audit log activity accessing sensitive information was from the user that immediately reported the issue to GitLab. We found no evidence of abuse against the API itself. Regardless, we are taking every precaution, and strongly recommending all affected Gitlab.com users rotate their personal access tokens. Affected users have received further instructions via email notifications, accordingly.
 
Although there is no evidence to suggest it happened, in the worst case an attacker could have gained access and obtained personal access tokens used in API calls between 19 February 2018 and 19 March 2018.
Although there is no evidence to suggest it happened, in the worst case an attacker could have gained access and obtained personal access tokens used in API calls between February 19, 2018 and March 19, 2018.
 
## Mitigations
 
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment