GitHub has issued a security advisory:
On Tuesday evening PST, we became aware of unauthorized attempts to access a large number of GitHub.com accounts. This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts. We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.
The end result is that for some accounts “other personal information including listings of accessible repositories and organizations may have been exposed.” Yuck.
GitHub has reset passwords for affected accounts and is reaching out to affected users.
It’s important to underline that GitHub itself didn’t suffer a breach. The passwords were probably gleaned from mega-breaches on other sites such as LinkedIn and Tumblr.
Repeat after me:
Thou shalt not make to thyself the same password on different websites, and thou shalt enable two-factor authentication pronto.