Earlier today we received a security disclosure from a community member who was able to gain unauthorized access to some of the information from a small group of MLH Fellowship applications. We worked with the individual to close the issue and delete the impacted data. We have no reason to believe that this information was accessed by anyone else or will be made public as a result of this breach.
Once an applicant reaches the technical interview portion of the application process, we share a secret link with the mentors who will perform the interview containing the subset of the application they need for the call. This includes the applicants name, email, phone number, LinkedIn URL, GitHub URL, and code sample URL. Before the call, interviewers review this information and click through to the provided code sample to prepare for the conversation.
GitHub records referral URLs for any traffic coming to a repository and makes that data available to the maintainers. This individual was able to find the mentor’s secret URL within the traffic for their repository and access it to see the information of about 250 applicants.
What does this mean?
We have already spoken to the individual and worked with them to close the issue. They have indicated that the exposed data was deleted and that they brought this vulnerability to our attention to prevent anyone from maliciously exploiting it. We have also changed the way we share application information with mentors to prevent this from happening again in the future and disclosed the vulnerability to the software provider.
While we have no reason to believe that the data was used maliciously or will be, we notified applicants who were impacted immediately. These applicants represent less than 2% of the total we have received and, to our knowledge, no other applicants could have been impacted by this issue. If you have not received an email notification about this situation, you have not been impacted.
- 1:00pm ET: Security disclosure emailed to MLH
- 1:15pm ET: Email read, all share linked disabled and API keys rotated
- 1:30pm ET: MLH speaks to disclosing party and confirms source of issue
- 2:05pm ET: MLH receives email indicating that data has been deleted and vulnerability closed
- 2:30pm ET: Impacted applicants, mentors, and software vendor notified
MLH takes data and privacy seriously. We apologize to anyone was impacted by this situation. Please reach out to firstname.lastname@example.org if you have questions or concerns.
CEO & Co-Founder, MLH