GitHub accounts compromised in wake of reused password attack

Three days ago, an unknown attacker has been spotted trying to break into a large number of GitHub accounts and has managed to access some of them, Shawn Davenport, Vice President of Security at the popular code repository, has shared on Thurdsay.

Reused password attack

“GitHub has not been hacked or compromised,” he noted. “This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts.”

With the constant stream of data leaks tied to historic mega breaches that we have been witnessing lately, the attacker could take his pick of username/password combinations to try out.

In fact, Facebook and Netflix, in an attempt to head off such attacks, compared the leaked data with their own, and forced password resets on users who used the same one for various online accounts.

GitHub has reset passwords on all affected accounts, and has begun notifying the users who were affected. They should consider all the information contained and tied to their account exposed.

I guess it’s possible that the attacker tampered with the code in the users’ repos, although this seems more like a random attack aimed at harvesting potentially useful information.

Davenport advised users to choose a strong new password they won’t reuse on other online services, and to enable two-factor authentication to protect their account.