GitHub attacker launched massive login campaign using stolen passwords

Reusing four-year old passwords from MySpace for GitHub? (credit: ABC Photo Archives / Getty Images)

On June 14, someone using what appears to have been a list of e-mail addresses and passwords obtained from the breach of “other online services” made a massive number of login attempts to GitHub’s repository service. A review of logins by GitHub’s administrators found that the attacker had gained access to a number of accounts, according to a blog post by Shawn Davenport, Vice President of Security at GitHub.

It’s not clear what the source of the e-mail/password combinations was, but there are certainly plenty of them out there right now—the recent bounty of “megabreaches”, consisting of aged passwords from MySpace, Tumblr, LinkedIn and the dating site Fling totaled more than 642 million accounts in all. And though they date back more than three years, there may have still been some that were being re-used by their owners on GitHub.

Davenport said that the passwords of the accounts accessed successfully by the attacker have all been reset. GitHub has begun contacting each affected user individually with instructions on how to get back into their account. He also urged GitHub users to enable two-factor authentication for the service and to “practice good password hygiene”—providing a link to an xkcd comic on password strength to explain.

Read 1 remaining paragraphs | Comments