On Tuesday, we reported that cybercriminals had launched a brute force attack against GitHub accounts. Users reported seeing failed login attempts coming from China, Venezuela, Indonesia, Ecuador and other countries.
According to GitHub, the accounts of some users who had weak passwords have been compromised. Impacted customers are being notified via email. Their passwords have been reset, and their SSH keys, access tokens and OAuth authorizations have been revoked.
“While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses,” GitHub’s Shawn Davenport explained in a blog post.
“These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this.”
GitHub has taken a series of measures to protect users against future attacks. For instance, users will no longer be able to log in with commonly used, weak passwords.
Furthermore, as a precaution, some accounts have been reset even if they had been protected by strong passwords. These accounts have been accessed by IP addresses involved in the attack.
GitHub says that it will keep users posted in case source code or sensitive information becomes compromised.
On Hacker News, users have reported seeing between 4 and 14 failed login attempts on their accounts.
GitHub customers are advised to review their accounts, make sure they have a strong password, and enable two-factor authentication.
GitHub added a two-factor authentication system in early September. The two-factor authentication code can be sent to users via SMS on their mobile devices, or they can obtain it by utilizing a free two-factor application. If you have questions, you can contact GitHub via their contact page.