According to this article at ThreatPost, some GitHub accounts were possibly compromised by attackers and sensitive information may have been leaked. According to all of the information that we have so far, Github itself was not breached but attackers were able to use credentials gathered in other breaches to gain access to Github accounts.
- Github notes that they are reaching out to affected users directly. Regardless of whether Github has contacted you or not, randomly changing your password on publicly available sites isn’t a bad idea.
- Use 2FA (2 factor authentication). I didn’t see anything specifically related to 2FA in the article but I’m a huge fan and this is a good opportunity to talk about 2FA. If you aren’t using it, fix that. Go ahead, we’ll wait…..
- Don’t share passwords between sites. This can’t be said enough. Even if the site says that they’re salting + hashing your password a million times and then only storing that final (million times salted and hashed password) hash, assume that they’re actually storing in plain text somewhere and that it can be easily breached. Don’t share passwords between sites / domains / tools / etc. It’s just a bad plan.
Github is a site / tool used by all kinds of folks for all kinds of things from software development to just plain old file storage (our DEF CON group, DC770, uses it for shared storage for the group). If an attacker were able to successfully compromise the Github account for a popular piece of open source software and update the codebase to include a remote exploit, anyone running that software that updated it before the legitimate developer realized what happened would be available as soon as they updated their version of the software.