Press "Enter" to skip to content

A number of GitHub user accounts were hacked in a brute-force attack

The attack, which has been going on for three days, affects users with weak passwords and disabled two-step authentication.

GitHub users are strongly encouraged to change their password to a more complex one and enable 2-step authentication as soon as possible to protect against an ongoing automated brutus-force attack. GitHub security engineer Shawn Davenport warns about this.

GitHub has been under massive brute force attack for the past few days. Some users with weak passwords have already been hacked, as a result of which the repository administration reset their passwords and revoked access tokens, authorization via OAuth and SSH keys, after warning them about it.

“We’re continuing to investigate and will alert you if attackers gain access to your source codes or credentials,” Davenport conveyed , noting that passwords for a number of well-protected accounts have also been reset due to suspicious activity.“We limit failed login attempts and securely store user passwords, but during the attack, it was recorded that approximately 40,000 unique IP addresses were used to slowly guess passwords,” the engineer explained.

Hacker News users have noticed that their accounts have been attempted to log in from Chinese, Indonesian, Venezuelan, and Ecuadorian IP addresses. A GitHub commenter said that the company has already compiled a list of cracked and widely shared passwords, and if the user’s password matches the expression from the list, the account is blocked and a password change is offered.

“We wrote a script that checked the hash sums of each user’s passwords and stored salt against our list, and anyone who found a similar password would have to change it. We also force our customers to change their passwords every 28 days and store the last seven passwords in a database to make sure the user does not use the same password.”All users are strongly recommended to enable two-step authentication, which, in addition to the password, requires a special code that is sent to the user’s phone. In this case, the success of the brute force attack is reduced to zero.

If you want to check if someone has tried to log into your account, open the security history page and check the login logs.

Be First to Comment

Leave a Reply

Your email address will not be published.