GitHub accounts with feeble passwords fall to brute force attack

GitHub accounts with feeble passwords fall to brute force attack

Summary: GitHub user? Now would be a good time to set up two-factor authentication.

SHARE:

Popular software hosting service GitHub has urged users to set up two-factor authentication after an automated password-guessing attack compromised some accounts with weak passwords.

With massive password leaks appearing nearly weekly and reusing the same across passwords across multiple accounts still common practice, automated password attacks are one good reason to set up an extra layer of authentication for crucial online services. Apple, DropBox, Google, Twitter, Facebook and Microsoft have all rolled out two-factor authentication over the past year.

GitHub has sent out emails to users with weak passwords whose accounts were compromised in a password-guessing attack on its authentication system that was launched from around 40,000 unique IP addresses.

The IP addresses were used to "slowly brute force weak passwords or passwords used on multiple sites", according to a blogpost by GitHub security manager Shawn Davenport today.

GitHub has reset passwords on compromised accounts and is telling those affected to create a new, stronger password. It's also revoked personal access tokens, OAuth authorisations, and SSH keys on the affected accounts. 

GitHub has even reset some user accounts with strong passwords after detecting logins on the accounts from IPs that were used in the attack, Davenport said.

Those with strong passwords or with TFA enabled would have been able to see failed login attempts on its authentication login page, such as the dozens of GitHub users who have over the past 48 hours reported attempts on user accounts from IP addresses in China, Indonesia, Ecuador, Venezuela, and elsewhere.

The failed login attempts are logged in the Security History page provided by GitHub, which, as GitHub noted in a brief alert today, is accessible to users with a strong password and its two-factor authentication enabled.

Further reading

Topics: Security, Software Development

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion