GitHub presses big red password reset button after third-party breach
Mystery hackers look to harness password reuse and take control of accounts
GitHub has reset the passwords of users targeted in an attack this week that relied on using stolen credentials from a breach at a third party site.
The software repository itself has not suffered a breach.
Hackers behind the assault were trying to break into the accounts of users who had inadvisedly used the same login credentials on an unnamed site that had suffered a breach, as a statement by GitHub explains.
On Tuesday evening PST, we became aware of unauthorized attempts to access a large number of GitHub.com accounts. This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts. We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.
GitHub said it had reset the passwords on all affected accounts before beginning the process of notifying those affected.
“We encourage all users to practise good password hygiene and enable two-factor authentication to protect your account,” GitHub sensibly advised.
The list of large sites that have suffered from exposed user login credentials is large and growing. Historical breaches against the likes of LinkedIn and Adobe in particular make it trivial to break into the accounts of anyone daft enough to reuse login credentials from a breached site elsewhere.
GitHub is no stranger to security flaps. For example, state-sponsored hackers in China are widely blamed for an attack on the site last year seemingly related to the hosting of code that circumvented the country’s Great Firewall web censorship mechanisms.
Getting into accounts and messing with code provides a plausible motive for state-sponsored hackers to launch the brute force password reuse attack spotted by GitHub. Messing with code in order to spread common-or-garden malware, or in furtherance of some other privacy-invading or cash-generating scam, means it’s also possible that ordinary cybercriminals were behind the assault. ®