GitHub accounts targeted in password reuse attack

Following a massive cache of LinkedIn passwords being dumped online last month, users of another online service — GitHub — have become the latest target of a password reuse attack as hackers apparently seek to exploit credentials obtained elsewhere to gain illicit access to user accounts and data.

Writing on its blog today developer project hosting service GitHub said that on Tuesday evening PST it became aware of “unauthorized attempts to access a large number of GitHub.com accounts”.

“This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,” it writes, adding: “We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.”

Github emphasized that its own security systems have not been hacked or compromised.

And while it does not mention the recent LinkedIn password data dump specifically, the timing looks more than a little coincidental — with more than 100 million LinkedIn members’ emails and passwords being dumped online last month, dating back to an earlier 2012 hack.

But if not LinkedIn a large cache of previously hacked MySpace user credentials was also being offered online last month — with perhaps as many as 427 million MySpace passwords up for sale on a hacker forum. Clearly it’s a bonza time to be a hacker with so much password data floating around the dark web.

GitHub declined to answer additional questions about the attack, pointing instead to its blog post which confirms that usernames and passwords have been accessed for all accounts affected by the passwords reuse attack (although we do not know how many accounts that is).

Some accounts may also have had other personal information exposed including listings of accessible repositories and organizations, it added.

The company said it has reset passwords on all affected accounts, and is “in the process of sending individual notifications to affected users”.

It suggests users practice good password hygiene (i.e. not reusing passwords from other services; and making sure you create robust and unique passwords for all your services… ), and also switching on two-factor authentication to make it harder for hackers to gain access.

In both the LinkedIn and Myspace data breaches passwords had been stored as unsalted SHA-1 hashes, meaning they were very easily cracked.

The result of such large-scale security folly clearly continues to play out across the digital arena — even affecting developer focused services like GitHub, where you might expect users to be rather more security savvy about not reusing passwords than the average web consumer.

That said, earlier this month Facebook CEO Mark Zuckerberg’s lesser used social accounts were also targeted by password reuse hackers — suggesting Zuck himself had also committed the cardinal but all-too-human crime of password reuse. His hackers directly referenced the LinkedIn password breach as their route to gaining access.

Earlier this month it also emerged that millions of Twitter users’ credentials were also being touted for sale online by hackers. However in that instance it appeared that malware had been used to harvest credentials direct from users’ devices, rather than the data resulting from password reuse.