Yes, even coders make the mistake of reusing passwords

Graham Cluley
@gcluley

GitHub has issued a security advisory:

On Tuesday evening PST, we became aware of unauthorized attempts to access a large number of GitHub.com accounts. This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts. We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.

The end result is that for some accounts “other personal information including listings of accessible repositories and organizations may have been exposed.” Yuck.

GitHub has reset passwords for affected accounts and is reaching out to affected users.

Sign up to our newsletter
Security news, advice, and tips.

It’s important to underline that GitHub itself didn’t suffer a breach. The passwords were probably gleaned from mega-breaches on other sites such as LinkedIn and Tumblr.

Repeat after me:

Thou shalt not make to thyself the same password on different websites, and thou shalt enable two-factor authentication pronto.


Author: Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.