Mitigating leaked personal access tokens (PATs) found on GitHub public repositories
Personal access tokens (PATs) make it easy to integrate your tools with Azure DevOps or extend Azure DevOps functionality for your business needs. However, like other authentication credentials, personal access tokens need to be stored securely. Leaked tokens could compromise your Azure DevOps account and data, putting your applications and services at significant risk.
One all too common threat is accidentally checking your personal access tokens into your repositories.
GitHub is the home for all developers on the planet to host their projects, contribute to open source and leverage the power of the community to achieve their goals faster. However this means that secure credentials like personal access tokens checked into public repositories on GitHub are susceptible to even more risk, particularly since malicious actors are always scanning these public repositories for opportunities.
I am excited to announce that the Azure DevOps security team, in collaboration with our partners at GitHub, will begin to scan for Azure DevOps personal access tokens (PATs) checked into public repositories on GitHub. When our team discovers a leaked token, we’ll immediately send a detailed email notification to the token owner and log an event to your Azure DevOps Organization’s Audit Log. We encourage impacted user(s) to mitigate immediately by rotating or revoking the leaked token. If the token has not been rotated or revoked after 72 hours, we will automatically revoke the token on your behalf. You will receive another email notification and audit log event once the token has been revoked.
Please comment below if you have any questions or concerns!