It looks like GitHub Enterprise, the on-premises version of the GitHub code-sharing platform, has today leaked out over 3,000 emails of individuals that use it. Those emails were then posted online on a Pastebin page (which we’re not linking to; please don’t post the link in the comments below).
We have reached out to GitHub to get more details but have yet to hear back. However, it looks like the email may have been a technical error. The email told recipients that their licenses were running out and encouraged them to link through to a GitHub page to renew their deals. But according to accounts on Reddit, at least some of those recipients were surprised to receive the notices because their licenses were paid up beyond the period stated on the email.
That makes this sound like a potential phishing attack, except that a poster on Hacker News said that he had received an update from GitHub Enterprise noting that the email was sent in error:
This morning a routine email was accidentally sent to many of our GitHub Enterprise customers. In these errant emails, customer email addresses were included in the To: field, making them visible to anyone who received the message.
We have stopped the remaining messages in the email batch from being sent, and are investigating how this happened.
We are very sorry that your email address was accidentally shared. Your GitHub Enterprise installation is unaffected, and no license keys or any other data were exposed during this incident.
We are investigating the root cause of this email issue and will update our blog with our findings.
Again, we are very sorry this happened. Your privacy is very important to us and we will be making changes to ensure that this does not happen again.
But even if GitHub has stopped the remaining messages, it hasn’t changed the fact that at least one of the recipients has now posted the full list on Pastebin.
If all this is accurate, it’s a pretty embarrassing mistake for GitHub, and for GitHub Enterprise, which is meant to be a more secure version of the service. It also comes on the heels of some DDoS attacks on the site. Apart from revealing email addresses, the message to users potentially could be more severe:
“If they can’t protect my f****** email address why the hell should I trust them with my clients code?” one person wrote on Reddit.
Update: GitHub has now confirmed that this was an error on their part involving the Rails application it uses to manage customer contact information for GitHub Enterprise, but not the product itself. “Earlier today a routine system email was incorrectly sent to many of our GitHub Enterprise customers. In these errant emails, customer email addresses were included in the To: field, making them visible to anyone who received the message,” it writes in a blog post. “We are very sorry about this. We have determined what caused this incident and contacted all affected customers directly.” It says that no GitHub Enterprise installations were affected, and no license keys and other data were exposed. GitHub.com was also not affected.
A more complete technical explanation is here.
Additional reporting: Alex Williams