Skip to main content
Dormant GitHub Accounts Map Your Org StructureIncident
4 min readFor Security Engineers

Dormant GitHub Accounts Map Your Org Structure

What Happened

Datadog Security Labs identified coordinated reconnaissance campaigns using over 50 dormant GitHub accounts to map corporate organizations. Attackers issued API queries through accounts that were often years old, blending their traffic with normal GitHub activity. They listed public repositories, walked user lists, and ran GraphQL queries to build detailed organizational charts.

In some cases, the campaigns went beyond public data collection. Compromised accounts with valid personal access tokens (PATs) allowed attackers to clone private repositories and access internal code.

Timeline

The exact timeline of individual intrusions remains unclear, but the pattern is consistent:

  1. Initial Access: Attackers acquire dormant accounts or compromise active ones to obtain valid PATs.
  2. Reconnaissance Phase: Systematic API queries map organization structure, team composition, and repository relationships.
  3. Escalation: Where PATs grant sufficient permissions, attackers clone private repositories.
  4. Persistence: Old, inactive accounts continue issuing queries without triggering typical security alerts.

The campaigns appear ongoing, with Datadog Security Labs researcher Julie Agnes Sparks noting the activity's scale and coordination.

Which Controls Failed

Account Lifecycle Management

Your team likely doesn't have a process to identify and disable dormant GitHub accounts. These accounts maintain valid credentials and API access indefinitely. An account created three years ago by a contractor who left 18 months ago still has full API access today.

API Rate Limiting and Monitoring

GitHub's API allows authenticated users to make thousands of requests per hour. Normal developer workflows generate similar patterns, so attackers issuing 100 GraphQL queries to enumerate your org structure look identical to a developer running a CI/CD pipeline.

Most organizations don't monitor GitHub API usage at all. You're not tracking which accounts query your organization's member list, who's pulling repository metadata, or which PATs are accessing private repos from unexpected locations.

Personal Access Token Security

PATs function like permanent passwords with broad permissions. PCI DSS v4.0.1 Requirement 8.2.2 mandates multi-factor authentication for all access to cardholder data environments, but GitHub PATs bypass this entirely. A compromised token works from any IP address without triggering MFA prompts.

You probably don't know:

  • How many PATs your developers have created
  • What permissions each token has
  • When those tokens were last used
  • Whether any tokens have been committed to public repositories

Network Segmentation

The attacks demonstrate why API access deserves the same scrutiny as network access. NIST 800-53 Rev 5 control AC-4 requires information flow enforcement, but your GitHub organization likely allows any authenticated account to query organizational data. There's no equivalent to network segmentation for API consumers.

What the Standards Require

ISO/IEC 27001:2022 Control 5.18 (Access Management) requires organizations to limit access based on the principle of least privilege. This applies to API tokens, not just user accounts. Each PAT should have the minimum scope necessary for its function.

NIST CSF v2.0 Function PR.AC-4 calls for access permissions and authorizations to be managed, incorporating the principle of least privilege. Your GitHub organization structure should enforce this through:

  • Repository-level access controls
  • Scoped PATs that can't enumerate the entire organization
  • Time-limited tokens for automation

PCI DSS v4.0.1 Requirement 8.3.2 mandates strong authentication for all system components. While GitHub supports this for user logins, PATs create an exception. If your repositories contain anything related to cardholder data, you need compensating controls around token management.

SOC 2 Type II CC6.1 (Logical and Physical Access Controls) requires restricting access to information assets. Your auditor will ask how you manage API access, token lifecycle, and dormant account removal.

Lessons and Action Items

Audit Your GitHub Organization Today

Run this query to find accounts that haven't committed code in six months:

GET /orgs/{org}/members

Cross-reference against your HR system. Any account belonging to a former employee should be removed immediately, not just from the organization but from any team memberships or repository access.

Implement PAT Hygiene

GitHub's fine-grained personal access tokens let you scope permissions to specific repositories with expiration dates. Require your team to:

  • Use fine-grained tokens instead of classic PATs
  • Set 90-day expiration maximums
  • Document the purpose of each token in your secrets management system
  • Rotate tokens when team members change roles or leave

Monitor API Usage Patterns

Enable GitHub's audit log streaming to your SIEM. Alert on:

  • Accounts querying organization member lists
  • GraphQL queries that enumerate repository structures
  • API requests from unexpected geographic locations
  • Sudden spikes in API usage from individual accounts

Segment Access by Function

Create separate GitHub organizations for different security zones. Your public open-source projects shouldn't share an organization with private repositories containing customer data. This limits what attackers can enumerate even with valid credentials.

Review Repository Visibility

List all repositories marked "public" in your organization. For each one, verify it should be publicly accessible. Developers often set repositories to public during testing and forget to change the setting. One misconfigured repo can reveal your entire technology stack.

Establish Token Rotation Requirements

Treat PATs like database credentials. ISO/IEC 27001:2022 Control 8.5 requires periodic review of user access rights. Apply the same principle to API tokens. Your policy should mandate:

  • Quarterly review of all active PATs
  • Immediate revocation when team members change roles
  • Automated alerts when tokens are used from new locations

The dormant account technique works because it exploits normal behavior. Old accounts issuing API queries don't trigger alerts. Your monitoring focuses on failed authentication attempts, not successful ones from stale credentials. Close that gap.

Topics:Incident

You Might Also Like