Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Monday, September 04, 2017 Mohit Kumar

Taringa-data-breach-hacker
Exclusive — If you have an account on Taringa, also known as "The Latin American Reddit," your account details may have compromised in a massive data breach that leaked login details of almost all of its over 28 million users.

Taringa is a popluar social network geared toward Latin American users, who create and share thousands of posts every day on general interest topics like life hacks, tutorials, recipes, reviews, and art.

The Hacker News has been informed by LeakBase, a breach notification service, who has obtained a copy of the hacked database containing details on 28,722,877 accounts, which includes usernames, email addresses and hashed passwords for Taringa users.

The hashed passwords use an ageing algorithm called MD5 – which has been considered outdated even before 2012 – that can easily be cracked, making Taringa users open to hackers.

Wanna know how weak is MD5?, LeakBase team has already cracked 93.79 percent (nearly 27 Million) of hashed passwords successfully within just a few days.

LeakBase has shared a dump of 4.5 million Taringa users with The Hacker News to help us verify the authenticity of the leaked database.

Using email addresses in the dump, we contacted a few random Taringa users with their plain text passwords, who acknowledged the authenticity of their credentials.

The data breach reportedly occurred last month, and the company then alerted its users via a blog post, sharing more information about the incident.
"It is likely that the attackers have made the database containing nicks, email addresses and encrypted passwords. No phone numbers and access credentials from other social networks have been compromised as well as addresses of bitcoin wallets from the Taringa program! Creators." the post (translated) says.
"At the moment there is no concrete evidence that the attackers continue to have access to the Taringa code! and our team continues to monitor unusual movements in our infrastructure."
To protect its users, Taringa is currently sending a password reset link via an email to its users as soon as they access their account with an old password.
Taringa-Data-Breach-hacking
One of the contacted users has also shared a screenshot of the notice with The Hacker News, as shown above.
"We've made a massive password reset strategy and also increased the encryption of the passwords from MD5 to SHA256. We've also been in contact with our community via our customer support team," a Taringa spokesperson told The Hacker News.

Leaked Database Analysis


Here below we have a brief analysis of the leaked database, which suggests that even after countless warnings, most people are continuously using deadly-simple passwords to safeguard their most sensitive data.

As you can see in the image given below, LeakBase team managed to crack 26,939,351 out of 28,722,877 passwords hashed using the MD5 algorithm, out of which over 15 Million were unique passwords.

The vast majority of the cracked passwords were alpha and lower case alpha and did not contain any special characters or symbols.

cracked-password

Here below we have the list of most popular/common passwords chosen by Taringa users that also includes top worst passwords such as 123456789, 123456, 1234567890, 000000, 12345, and 12345678.

Taringa-Data-Breach-passwords
The most popular length of the password was six characters long, followed closely by eight characters, nine and ten characters. Expectedly, the percentages drop drastically as you go higher in length.

Taringa-Data-Breach-Password-length

Besides the cracked passwords, LeakBase also take a look at the email addresses contained in the leaked data dump, and the most common email domains are as follows:
email-services

But, are Taringa users entirely responsible for choosing weak passwords?

Not completely. It's also the fault of the company, who failed to enforce a strong password policy on their users, eventually allowing them to sign up with weak passwords.

After data breaches, the organisations tend to blame the end users for poor password security, but they forget to provide them one.

So far, it has not been clear who is behind the attack on Taringa, neither how the attackers managed to breach into its servers.

Meanwhile, in a separate news,we reported about an unknown hacker selling personal details on more than 6 million high-profile Instagram accounts on an online website, Doxagram, after the hacker breached the Facebook-owned photo sharing service using a flaw in its API.

How to Help Protect Yourself from Data Breaches


Of course, if you are one of those potentially affected users, you are strongly recommended to change your passwords immediately.

Also, change passwords for other online accounts for which you are using the same password as for Taringa account.

Even if any website allows you to create an account with a weak password, you should always choose a complex password. Use a good password manager, if you find following best practices difficult.

Moreover, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source correctly.

Thursday, December 15, 2016 Swati Khandelwal

hack-macbook-password-filevault
Macintosh computers are often considered to be safer than those running Windows operating system, but a recently discovered attack technique proves it all wrong.

All an attacker needs is a $300 device to seize full control of your Mac or MacBook.

Swedish hacker and penetration tester Ulf Frisk has developed a new device that can steal the password from virtually any Mac laptop while it is sleeping or even locked in just 30 seconds, allowing hackers to unlock any Mac computer and even decrypt the files on its hard drive.

So, next time when you leave your Apple's laptop unattended, be sure to shut it down completely rather than just putting the system in sleep mode or locked.

Here's How an Attacker can steal your Mac FileVault2 Password


The researcher devised this technique by exploiting two designing flaws he discovered last July in Apple's FileVault2 full-disk encryption software.

The first issue is that the Mac system does not protect itself against Direct Memory Access (DMA) attacks before macOS is started.

It's because the Mac EFI or Extensible Firmware Interface (similar to a PC's BIOS) let devices plugged in over Thunderbolt to access memory without enabling DMA protections, which allows Thunderbolt devices to read and write memory.

Secondly, the password to the FileVault encrypted disk is stored in clear text in memory, even when the computer is in sleep mode or locked. When the computer reboots, the password is put in multiple memory locations within a fixed memory range, making it readable by hacking devices.

Dubbed PCILeech and costs approximately $300, the hacking device exploits these two vulnerabilities to carry out DMA attacks and extract Mac FileVault2 passwords from a device's memory in clear text before macOS boots, and anti-DMA protections come into effect.

To do this, all an attacker needs is access to a target Mac computer for just a few minutes to connect the PCILeech hacking device to the computer via its Thunderbolt port, which would allow the attacker to have full access to its data.

Video Demonstration of the Attack


Frisk also provided a video demonstration, which shows how he just plugged in a card flashed with his open source PCILeech software tool into the Mac's Thunderbolt port, which ran the hacking tool on the target Mac or MackBook, rebooted the system, and read the Mac password on the other laptop.


Yes, the attack only works if an attacker has physical access to a target Mac or MacBook, but all it takes is just 30 seconds to carry out successfully.
"Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access - unless the Mac is completely shut down," Frisk explained in a blog post on Thursday. 
"If the Mac is sleeping it is still vulnerable. Just stroll up to a locked Mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!"
Frisk reported his findings to Apple in August and the company fixed the issues in macOS 10.12.2 released on 13 December.

So Apple desktop users are required to update their devices to the latest version of its operating system to be safe.

Wednesday, December 14, 2016 Swati Khandelwal

Ashley Madison Dating Site Agrees to Pay $1.6 Million Fine Over Massive Breach

Ashley Madison, an American most prominent dating website that helps married people cheat on their spouses has been hacked, has agreed to pay a hefty fine of $1.6 Million for failing to protect account information of 36 Million users, after a massive data breach last year.

Yes, the parent company of Ashley Madison, Ruby Corp. will pay $1.6 Million to settle charges from both Federal Trade Commission (FTC) and 13 states alleging that it misled its consumers about its privacy practices and did not do enough to protect their information.

Not only the company failed to protect the account information of its 36 Million users, but also it failed to delete account information after regretful users paid a $20 fee for "Full Delete" of their accounts.

Moreover, the Ashley Madison site operators were accused of creating fake accounts of "female" users in an effort to attract new members.

Avid Life Media denied the claim at the time, but a year later when the company rebranded as Ruby Corp., it admitted that tens of thousands of female users on AshleyMadison.com had just been lines of code.

Last year, a group of hackers released tons of gigabytes of critical data belonging to the company's internal operation as well as millions of Ashley Madison users that led to blackmails and even suicides.

Ruby Corp. was intended to pay a total of $17.5 Million fine -- $8.75 million fine to the FTC and another $8.75 million to 13 states that also filed complaints -- but the company can afford to pay just $1.6 Million fine.

"Today's settlement closes an important chapter on the company's past and reinforces our commitment to operating with integrity and to building a new future for our members, our team and our company," Rob Segal, Ruby's newly-appointed CEO, wrote in a blog post.

Besides this, Ruby Corp. has agreed to 20 years' worth of the FTC overseeing its network security to ensure that user data is being protected.

Here's the federal court order [PDF] that requires Ashley Madison to:

  • Perform a risk assessment to protect customer data
  • Implement new data security protocols
  • Upgrade systems based on the assessments
  • Offer periodic security risk assessment (both internal and third-party)
  • Require "reasonable safeguards" against any potential cyber attacks from their service providers

Ashley Madison was hacked in July 2015, resulting in the disclosure of personal information belonging to 35 Million users, including their usernames, first and last names, passwords, credit card data info, street names, phone numbers, transactions records, and email addresses.

Thursday, November 10, 2016 Mohit Kumar

hack-facebook-acccount-password
Facebook is reportedly buying stolen passwords that hackers are selling on the underground black market in an effort to keep its users' accounts safe.

On the one hand, we just came to know that Yahoo did not inform its users of the recently disclosed major 2014 hacking incident that exposed half a billion user accounts even after being aware of the hack in 2014.

On the other hand, Facebook takes every single measure to protect its users' security even after the company managed to avoid any kind of security scandal, data breach or hacks that have recently affected top notch companies.

Speaking at the Web Summit 2016 technology conference in Portugal, Facebook CSO Alex Stamos said that over 1.3 Billion people use Facebook every day, and keeping them secure is building attack-proof software to keep out hackers, but keeping them safe is actually a huge task.

Stamos said there is a difference between 'security' and 'safety,' as he believes that his team can "build perfectly secure software and yet people can still get hurt."

Stamos was former Chief Information Security Officer at Yahoo who left the company in 2015 after discovering that its Chief Executive Marissa Mayer authorized the government surveillance program.

Stamos joined Facebook in summer 2015 and now leads the security team at the social network. He said that the biggest headache he deals there with is caused by passwords users keep securing their accounts.

"The reuse of passwords is the No. 1 cause of harm on the internet," said the security chief.

According to him, the username and password system that was initially introduced in the 1970’s will not help us now in 2016.

As CNET reports, when passwords are stolen in masses and traded on the black market, it becomes apparent just how many of users are choosing the weakest passwords, such as 12345 and password, to secure their online accounts, automatically making their account more vulnerable to being hacked.

And this issue is something the social network giant is keen to help its users avoid.

In an attempt to check that its users are not making use of these commonly used passwords for their Facebook accounts, Stamos disclosed that the company buys passwords from the black market and then cross-references them with encrypted passwords used on its site.

Stamos said that the social network then alerts tens of millions of users that their passwords needed changing as they were not strong enough to protect their accounts.

Facebook provides you a whole bunch of tools to tighten up the security of your account, including traditional two-factor authentication, identifying faces of friends, as well as machine learning algorithms to determine and inform whether activity on your account is fraudulent.

Users are always advised to enable Two-factor authentication, which is an effective measure to keep a tight hold on your account even after hackers have your credentials.

Another new measure tackles the issue of account recovery. So, even if hackers find their way into your email account that could allow them to seize your Facebook account easily by resetting your password, the social network allows you to let your close friends verify account recovery request on your behalf.

Thursday, January 21, 2016 Wang Wei

worst-terrible-password
Some things online can never change like -- Terrible Passwords by Humans.

When it's about various security measures to be taken in order to protect your Internet security, like installing a good anti-virus or running Linux on your system doesn’t mean that your work gets over here, and you are safe enough from online threats.

However, even after countless warnings, most people are continuously using deadly-simple passwords, like '123456' or 'password,' to safeguard their most sensitive data.

Evidence suggests that weak passwords are as popular now as they ever were, and the top 25 passwords of 2015 are very easy to guess.

Password management firm SplashData on Tuesday released its annual "Worst Passwords List". The 2015 list almost resembled the 2014 list of the worst password, but there are some interesting new entries, including the Star Wars-inspired 'solo,' and 'starwars.'

Also Read: Best Password Manager — For Windows, Linux, Mac, Android, iOS and Enterprise

Hard to believe, but '123456' once again topped the list, just like last year, and again followed by the truly terrible 'password.'

Sport remains popular among online users as 'football' and 'baseball' are both on the top 10 list of worst passwords.

Top 25 Worst Passwords of 2015


SplashData analyzed over 2 Million leaked passwords in 2015, and the results are as follow:
  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars
"The longer passwords are so simple as to make their extra length virtually worthless as a security measure," says SplashData
The importance of online security around personal data has increased due to the rise in data breaches and cyber attacks over recent years.

Last year was the year of data breaches. According to an estimate, around 480 Million personal data records were leaked online, which included high-profile breaches at the United States Office of Personnel Management (OPM) and the extramarital affair site Ashley Madison.

So remember: "God helps those who help themselves," likewise nobody can secure you online unless and until you are not willing to.

How to Create a Strong Password


Always create different passwords for different sites. So that if one site is breached, your other online accounts on other sites are secure from being hacked.

These are some useful tips that will help you make password strength secure and easier to remember:
  • Use a combination of lowercase, uppercase, numbers, and special characters of 8 characters long or more like s9%w^8@t$i.
  • Use short passphrases with special characters separating to make it difficult for crackers and could be easily remembered like cry%like@me (cry like me).
  • Avoid using the same combination of passwords for different websites.
  • If it is difficult for you to remember different passwords for different websites, then use best Password Manager applications like RoboForm, 1Password, LastPass.

Stay Safe! Stay Secure!

Tuesday, August 04, 2015 Swati Khandelwal

Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password
Hackers have their hands on something of your concern. A severe zero-day vulnerability in the latest, fully patched version of Apple's Mac OS X is reportedly being exploited in the wild by the hackers.

The vulnerability could allow attackers to install malware and adware onto a target Mac, running OS X 10.10 (Yosemite) operating system, without requiring victims to enter system passwords, a new report says.

The zero-day bug came over a week after security researcher Stefan Esser discovered a privilege escalation zero-day vulnerability in the latest version of Apple's OS X Yosemite that caused due to environment variable DYLD_PRINT_TO_FILE and dynamic linker dyld, new error-logging features added to the operating system.

The developers failed to implement standard safeguards that are needed while adding support for new environment variables to the OS X dynamic linker dyld, allowing hackers to create or modify files with root privileges that can fit anywhere in the Mac OS X file system.

OS X Zero-Day Exploit in the Wild


Now, security researchers from anti-malware firm Malwarebytes spotted a malicious installer in the wild that was exploiting the zero-day vulnerability to infect Macs with different types of adware including VSearch, MacKeeper and Genieo.

The issue actually resides in a hidden Unix file – Sudoers – which is actually a list of files as to which software are allowed to get root permissions on a computer. However, a modification to the Sudoers allowed the installer to gain root level permissions without the need of password from an administrator.

The issue was discovered by Adam Thomas while testing a new adware installer.
"The script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed," Malwarebytes researchers explains in a blog post. "Part of the script involves deleting itself when it's finished."
"The real meat of the script, though, involves modifying the Sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password."

No Way Out for Mac Users


The zero-day flaw affects both the current stable Mac version OS X 10.10 (build 10.10.4) and the recent Beta build OS X 10.10.5 (Yosemite).

Good news for Mac users who are running Mac OS X 10.11 El Capitan Beta builds, as it appears that they are not affected by the zero-day flaw.

Until Apple patches this critical issue, you don't have any good options to prevent a skilled hacker from installing malware on your Mac systems, beyond using a patch created by Esser himself, which can be downloaded from here.

No doubt, Esser is a respected security researcher, but installing a patch from a third party developer can be a risky. Therefore, we advise you to fully investigate the patch before installing.

Friday, June 12, 2015 Mohit Kumar

We at The Hacker News get a lot of requests via emails and messages from people who want to hack into someone else’s Facebook account or Gmail account or break into somebody’s network.

However, 80 to 90 percent requests we receive every day are from people who want to hack into their girlfriend, boyfriend, wife, or husband’s Facebook account in order to read their private conversations and reveal their secret relationships, if any.

Even though we strongly deny any such requests because accessing someone else’s account without their knowledge or permission is a crime…

...but there are demands from people – those cheated by their love, betrayal of trust, driven by greed or revenge – to break into the Facebook accounts of other people.

So, what about Hiring a Hacker?


As money could buy everything, a service received a lot of popularity earlier this year – even featured on the front page of the New York Times – claims to connect these needy people to professional hackers for hire around the world.

Hacker’s List, launched in November 2014, received more than 500 hacking jobs in the period of just three months. Anyone can post or bid on a hacking project listed on the website.

There are around 2740 anonymous hacker profiles displayed on the website who are ready to accomplish hacks for you if hired. Prices of hackers range from $28 to $300, and full hacking projects range in prices of $100 to $5000.

Payments are done anonymously — collection of fees when tasks are completed, nobody knows the identity of those involved in doing the work.

Hacker’s List claims to provide "ethical hacking" services and asks users not to "use the service for any illegal purposes," as laid out in its 10-page long terms and conditions section.

However, the activities listed on the site are clearly illegal in some cases, so is it providing a so-called white hat hacking service?

Do You Also want to Hack Facebook Accounts?


Recent research indicates that many of the hacking tasks listed on Hacker’s List are related to breaking into Facebook accounts, hacking Gmail passwords, reading someone else’s chat logs from messaging apps like WhatsApp and Messenger.

In short, most of the requests from people are completely unlawful, very few requests are actually legal, and even most of the already completed projects fall under the category of crime.

The statistics of research conducted by security researchers Jonathan Mayer shows that the majority of users want to hack into somebody’s Facebook accounts, as Facebook is the most common target of users.

Below are the stats:


  • 23% of projects relate to Facebook hacking, often involving a business dispute or jilted romance.
  • 14% of projects relate to Google account hacking, also involving a business dispute or jilted romance.
  • 8% of projects involve students asking for University’s computer systems to be hacked in order to improve their exam grades.
  • 3% of projects involve burying some embarrassing tidbit, essentially an ersatz Right to be Forgotten.


Revealing True Identity of Customers


Mayer has also noticed another interesting fact that it is quite possible for anyone to reveal the true identity of Anonymous clients who are actually asking/hiring hackers for his or her jobs.

Every user registered on “Hacker’s List” website choose anonymous usernames in order to keep their actual identity hidden. However, there are physiological possibilities that most users keep their username same for multiple websites like I do.

Mayer explained that using a simple web page crawler, anyone can collect all the usernames from Hacker’s List Project pages and then can cross-link each of these so-called anonymous usernames with Facebook to find active profiles, possibly revealing their true identity, email addresses, contact details and other personal data.

Personally, I don’t encourage anyone to hack into the accounts of other people, and to avoid getting hacked; you should regularly update your password and keep other security settings tight.

Monday, April 07, 2014 Swati Khandelwal

Unbreakable Encryption inspired by Human Biology
When we talk about security, only one thing cames to our mind – ENCRYPTION. Encryption of our online messages, encryption of our emails, encryption of our voice call, encryption of our every personal data and communication that we have to keep away from cybercriminals and, if I am not wrong, also from government intelligence agencies, such as NSA and GCHQ.

Eventually, secure encryption is mandatory need of our modern Internet, Mobile communication, financial transactions, network sensors, car keys, and many more. But, government agencies like NSA are trying hard to break every effort that we adopt to secure our personal and confidential data. 

NSA is trying to develop a futuristic super computer called 'Quantum computer' that could be capable of breaking almost every kind of Encryption used to protect banks, medical, business including top-secret information held by government around the world.

NEARLY UNBREAKABLE ENCRYPTION
So, need for new encryption schemes are on demand that is harder, even much harder to break. By keeping this in mind, scientists have come up with the new encryption scheme which is nearly uncrackable to make life tough for cyber criminals and government spying agencies.

A team of physicists at Lancaster University in the UK have built up almost unbreakable encryption scheme inspired by the time-varying nature of the cardiorespiratory coupling in humans, like the way our heart and lungs interact, which results in an “endless number of secret encryption key possibilities” shared between the sender and receiver.

This very new method of unbreakable encryption came from the interdisciplinary research carried out by the scientists, Dr Tomislav Stankovski, Professor Peter McClintock, and Professor Aneta Stefanovska, and the patent includes Dr Robert Young, from the department of physics.
One of the scientists Dr Stankovski said, "Here we offer a novel encryption scheme derived from biology, radically different from any earlier procedure. Inspired by the time-varying nature of the cardio-respiratory coupling functions recently discovered in humans, we propose a new encryption scheme that is highly resistant to conventional methods of attack."
HOW IT WORKS
Despite handling separate jobs to keep us alive, the way our heart and lungs interact with each other is a paradigm of “coupling functions”. Since the two ends of encryption are the sender and the receiver, just like our heart and lungs.

To coordinate their rhythms, they need to communicate back and forth with each other various times, which the researchers called cardio-respiratory interactions. So, the information is encrypted on both the ends and to decrypt using the coupling functions.

Using same biological logic, Scientists have illustrated their new communication framework. "A number of information signals coming from different channels or communications devices (e.g., mobile phone, sensor networks, or wireless broadband) are to be transmitted simultaneously. "
The number of coupling functions in use will always be finite, depending on the specific number of information channels that are needed; the choice of forms available for the coupling functions (forming the private key) is, however, unbounded.

The coupling functions send and receive multiple encrypted signals at the same time, generating a limitless number of possibilities for the shared encryption key and making it indeed hard to decrypt using conventional methods.

The scientists have also published a paper pdf, “Coupling Functions Enable Secure Communications,” in Physical Review X and also filed a patent application for "Encoding Data Using Dynamic System Coupling." The pdf will help you understand the working of the cryptosystem in the schematic of the new communications scheme. You can download the PDF from here.

Monday, January 20, 2014 Swati Khandelwal

123456, password, 12345678, qwerty… or abc123, How many of you have your password one of these??? I think quite a many of you.

Even after countless warnings and advices given to the users by many security researchers, people are continuously using a weak strength of password chains.
After observing many cyber attacks in 2013, we have seen many incidents where an attacker can predict or brute-force your passwords very easily.

From 2012, the only change till now is that the string “password” has shifted to the second place in a list of the most commonly used passphrases and string “123456” has taken the first place recently, according to an annual "Worst Passwords" report released by SplashData, a password management software company

They announced the annual list of 25 most common passwords i.e. Obviously the worst password that found on the Internet. The Most common lists of the passwords this year are "qwerty," "abc123," "111111," and "iloveyou", which are really easily guessable.

"Another interesting aspect of this year's list is that most short numerical passwords showed up even though websites are starting to enforce stronger password policies," says Morgan Slain, CEO of SplashData.

Below are the worst passwords list of 2013 with Rank and showing the comparison of it from 2012:
 
If you are also using one of these passwords or other dictionary words, then you are advised to change it as soon as possible. We further advise you to use different passwords for different accounts, as if one of your account gets hacked, you’ll be totally ruined.

The above list of passwords was compiled from data dumps of stolen passwords posted online, and the firm says it was especially influenced by the millions of Adobe accounts that were compromised in the fall.

Fact & figure
Stricture Consulting Group attempted to decrypt the leaked Adobe passwords and released an estimate that almost 2 million of the more than 130 million users affected by the breach appeared to be using "123456" as a password.

Now when you talk about various security measures to protect your privacy and data, installing an Antivirus doesn’t mean that here your work gets over and you are safe enough. “God helps those who help themselves” likewise nobody can secure your privacy unless and until you yourself not willing to.

Here I have listed some useful tips to make your password strength secure and easier to remember:
  • Use a combination of lowercase, uppercase, numbers, and special characters of 8 characters long or more like s9%w^8@t$i
  • Use short passphrases with special characters separating to make it difficult for crackers and could be easily remembered like cry%like@me (cry like me)
  • Avoid using the same combination of passwords for different websites
  • If it is difficult for you to remember different passwords for different websites and accounts than try using Password manager applications like RoboForm, 1Password, LastPass.
STAY SECURE, STAY SAFE!

Thursday, November 21, 2013 Wang Wei

Popular source code repository service GitHub has recently been hit by a massive Password Brute-Force attack that successfully compromised some accounts, 
GitHub has urged users to set up two-factor authentication for their accounts and has already reset passwords for compromised accounts.
We sent an email to users with compromised accounts letting them know what to do,”
Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked.” 
However, GitHub uses the bcrypt algorithm to hash the passwords, which is extremely resilient against brute force attacks because it takes an inordinate amount of time to encrypt each password.

In a blog post, GitHub engineer Shawn Davenport said that a brute force attack from around 40,000 IP addresses revealed some commonly used passwords. These addresses were used to slowly brute force weak passwords.

In addition to normal strength requirements like length or character requirements, they have banned frequently used weak passwords on the site and had "aggressively" rate-limited login attempts.

Common passwords i.e. Password1, Password123, Qwerty123, access14, admin123, bond007, letmein, pa55w0rd, passw0rd, password1, password123 and more similar.
"This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information."
The exact number of compromised GitHub accounts was not disclosed but now GitHub’s sign-up page says passwords need to be at least seven characters long and have at least one lowercase letter and one numeral.

So, Always choose a good password that will be hard to crack i.e. Use a mix of numbers, letters and non-dictionary words and You should choose separate, unique passwords for each account or service.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!