Leaked Linear API key — ticket exfiltration

Linear API keys grant access to the issuing user's full workspace scope. Leakage = attacker reads every team's issues, comments, and attachments.

The next 60 seconds matter

The attacker runs Linear's GraphQL API queries, exfiltrating every ticket including security discussions, product plans, and customer feedback. May also modify issues.

  • Exfiltrate every issue in every team
  • Read attachments and linked documents
  • Modify issue states to disrupt workflow

Rotation playbook

  1. linear.app → Settings → API → Revoke the leaked key
  2. Generate a new key; rotate downstream

Prevent the next one

  • Use OAuth apps instead of personal API keys for integrations
  • Rotate keys on team-member departure
Pattern we scan for
lin_api_{40 chars}