GitHub is the latest company to feel the effects of recent mega-breaches.
The site on Thursday announced that hackers this week attempted to access a "large number" of GitHub.com accounts using credentials stolen from other online services. GitHub itself was not hacked or compromised; the attackers simply got their hands on "lists of email addresses and passwords from other online services that have been compromised in the past" and tried them on GitHub accounts.
"We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts," the site said. In some cases, the attacker had access to "personal information including listings of accessible repositories and organizations."
In response to the incident, GitHub reset the passwords on all affected accounts. The company is now in the process of notifying affected users.
The attack is the latest in a series of incidents highlighting the danger of reusing the same password across the Web. Reddit late last month sent out 100,000 password resets amid a boost in account takeovers by "malicious (or at best spammy) third parties." The site suggested that the recent LinkedIn password dump was partly to blame for the uptick in account takeovers.
Meanwhile, Netflix also recently sent password resets to those who used their password on LinkedIn, Tumblr, or MySpace following major breaches of those sites.
"We encourage all users to practice good password hygiene and enable two-factor authentication to protect your account," GitHub wrote. "These attacks often evolve, and we're continuing to investigate and monitor for new attack vectors."Read more
0 comments: