Popular software hosting service GitHub has urged users to set up two-factor authentication after an automated password-guessing attack compromised some accounts with weak passwords.
With massive password leaks appearing nearly weekly and reusing the same across passwords across multiple accounts still common practice, automated password attacks are one good reason to set up an extra layer of authentication for crucial online services. Apple, DropBox, Google, Twitter, Facebook and Microsoft have all rolled out two-factor authentication over the past year.
GitHub has sent out emails to users with weak passwords whose accounts were compromised in a password-guessing attack on its authentication system that was launched from around 40,000 unique IP addresses.
The IP addresses were used to "slowly brute force weak passwords or passwords used on multiple sites", according to a blogpost by GitHub security manager Shawn Davenport today.
GitHub has reset passwords on compromised accounts and is telling those affected to create a new, stronger password. It's also revoked personal access tokens, OAuth authorisations, and SSH keys on the affected accounts.
GitHub has even reset some user accounts with strong passwords after detecting logins on the accounts from IPs that were used in the attack, Davenport said.
Those with strong passwords or with TFA enabled would have been able to see failed login attempts on its authentication login page, such as the dozens of GitHub users who have over the past 48 hours reported attempts on user accounts from IP addresses in China, Indonesia, Ecuador, Venezuela, and elsewhere.
The failed login attempts are logged in the Security History page provided by GitHub, which, as GitHub noted in a brief alert today, is accessible to users with a strong password and its two-factor authentication enabled.
- GitHub adds two-factor authentication to user accounts
- GitHub improves open-source licensing polices
- Tale of two breaches shows passwords not the real problem
- Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)
- A good password can still trump sketchy security