GitHub users should consider changing their account password to a more complex one and setting up 2-factor authentication in order to protect themselves from automated brute force attacks, warns GitHub security engineer Shawn Davenport.
An attack of that kind is currently aimed at GitHub users, and has been for the past few days. Some user accounts with weak passwords have already been compromised. Luckily for the affected users, GitHub has reset their passwords and revoked their personal access tokens, OAuth authorizations, and SSH keys. They have naturally been apprised of this.
“This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information,” Davenport noted, adding that some user accounts may have been reset even if a strong password was being used, because activity on these accounts showed logins from IP addresses involved in this incident.
“While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses. These addresses were used to slowly brute force weak passwords or passwords used on multiple sites,” he explained. “We are working on additional rate-limiting measures to address this.”
Users commenting on Hacker News have noticed failed login attempts coming from IP addresses in China, Indonesia, Venezuela, Ecuador, and so on. A commenter that seems to be working at GitHub wrote that they have “added a kill-list of known decrypted passwords and English language words and forced people to reset their passwords who are listed in the Adobe breach.”
“We wrote a script that hashed these passwords with the stored salt for each user and compared the result with the stored hashed value. Basically we brute forced everyone’s accounts with the dictionary provided,” the commenter added. “Anyone who was found with an account that was in the dictionary was locked out with forced password change. We changed the password policy before doing this to increase complexity and block dictionary and the decrypted list words. We also force people to change their password every 28 days anyway and keep the last 7 hashed passwords and salts to verify that the user hasn’t reused.”
Apparently, Github will make it impossible to login with commonly-used weak passwords, but I really can’t tell if that measure has already been implemented. The current requirement to use at least one lowercase letter, one numeral, and seven characters is far from conducive to choosing complex passwords.
Nevertheless, users can choose to make a better effort, and they are urged to set up the recently introduced two-factor authentication option, which makes brute force attacks of this kind impossible to execute unless the attacker also has access to the user’s phone or account recovery codes.
If you are a user and want to check whether the attackers have tried to access your account, go to the Security History page and check out the login logs.