Web-based code repository service GitHub has reset the passwords on accounts targeted by a recent string of password reuse attacks.
Shawn Davenport, vice president of security at GitHub, announced the decision to reset some users’ passwords on Thursday:
“On Tuesday evening PST, we became aware of unauthorized attempts to access a large number of GitHub.com accounts. This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts. We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts. GitHub has not been hacked or compromised.”
Davenport does not name any specific services from which the lists of compromised email addresses and passwords might have originated, but they could be connected to one or more of the “megabeaches” that occurred at social networking sites MySpace, Tumblr, and LinkedIn as well as the dating site Fling between 2011 and 2013, especially if GitHub members decided to reuse their passwords across multiple accounts.
No data loss appears to have resulted from this third-party breach. The attacker might have exposed some users’ personal information, such as listings of accessible repositories and organizations. In most cases, however, the damage is confined to an affected user’s username and password.
Compromised credentials are no small threat, however, especially on a code repository site like GitHub. Paul Ducklin of Naked Security rightly notes that an attacker could use a member’s username and password to make small and subtle changes to a project’s code, such as by installing a backdoor.
To help affected users protect their projects, GitHub is urging all members to practice good password hygiene by using a strong, unique password with each of their web accounts.
The code repository service also recommends users implement two-factor authentication (in this instance, two-step verification), which protects an account with an additional layer of security by sending a one-time verification code to a registered phone after each login attempt.
To learn more about the difference between two-factor authentication and two-step verification, please click here.