The Hacker News Logo
Subscribe to Newsletter

Github accounts compromised in massive Brute-Force attack using 40,000 IP addresses

Popular source code repository service GitHub has recently been hit by a massive Password Brute-Force attack that successfully compromised some accounts, 
GitHub has urged users to set up two-factor authentication for their accounts and has already reset passwords for compromised accounts.
We sent an email to users with compromised accounts letting them know what to do,”
Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked.” 
However, GitHub uses the bcrypt algorithm to hash the passwords, which is extremely resilient against brute force attacks because it takes an inordinate amount of time to encrypt each password.

In a blog post, GitHub engineer Shawn Davenport said that a brute force attack from around 40,000 IP addresses revealed some commonly used passwords. These addresses were used to slowly brute force weak passwords.

In addition to normal strength requirements like length or character requirements, they have banned frequently used weak passwords on the site and had "aggressively" rate-limited login attempts.

Common passwords i.e. Password1, Password123, Qwerty123, access14, admin123, bond007, letmein, pa55w0rd, passw0rd, password1, password123 and more similar.
"This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information."
The exact number of compromised GitHub accounts was not disclosed but now GitHub’s sign-up page says passwords need to be at least seven characters long and have at least one lowercase letter and one numeral.

So, Always choose a good password that will be hard to crack i.e. Use a mix of numbers, letters and non-dictionary words and You should choose separate, unique passwords for each account or service.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.