GitHub Presses Big Red Password Reset Button After Third-Party Breach

John Leyden, writing for The Register: GitHub has reset the passwords of users targeted in an attack this week that relied on using stolen credentials from a breach at a third-party site. The software repository itself has not suffered a breach. Hackers behind the assault were trying to break into the accounts of users who had inadvisedly used the same login credentials on an unnamed site that had suffered a breach, as a statement by GitHub explains. GitHub said it had reset the passwords on all affected accounts before beginning the process of notifying those affected. "We encourage all users to practise good password hygiene and enable two-factor authentication to protect your account," GitHub sensibly advised.

Other third party site breach

[Guybrush_T]

Do anyone know which other third-party site was breached ? Or is it just an accumulated database of all historical breaches ..?

Re:Other third party site breach

[buchner.johannes]

There is http://www.adeptus-mechanicus....

If companies were smart they would reset and ban all passwords in those lists and the most common password topologies, as listed here and here

Re:Other third party site breach

[sexconker]

There was at least one major dump recently. I don't know when the breaches behind that dump occurred or how many of them were. Initial reports were that it was all Linked In's fault. But as far as I know Linked In still denies this. Several sites are resetting passwords for users, issuing alerts, etc. based on the presence of user names in the dumps.

So it's now gotten to a point where 1 site failing will result in other sites forcing you to change your password as well, because they force you to use an email address as a username and they assume you are reusing passwords. Terrible. Don't make me use an email address as a username, and don't make me reset my unique password because you assume all your users are idiots. ESPECIALLY when you're doing this as a reaction to a suspected third-party breach, where the user's accounts across other sites tied to their email address have been potentially compromised. (Hint: your "I forgot my password" tool sends link or temporary password to the registered email account, which is just as potentially compromised as the account your are trying to protect by forcing a reset.)

Re:Other third party site breach

[Lumpy]

If companies were smart they would not store any passwords at all but hashes so that breaches would not give hackers a pile of usernames and passwords.

Re:Other third party site breach

It's more than that. First do not use the retarded MD5, and enforce passwords 10 characters long or longer. By doing that and adding in maybe a bit of obfuscation padding like the first 5 and last 5 of the hash are actually random characters, and the worlds best hackers could not recover the passwords in 50 years.

Problem is websites are not written by software professionals but instead web-designers that have ZERO CS education.

Re:Other third party site breach

[Hylandr]

There are more people that write secure code in this world that do not have a cs education than people that have a cs education. I promise you people with a cs education are just as capable of writing shitty insecure code, or using insecure easy to hack passwords. These cs dolts are more dangerous because attitudes like yours lead people to think cs dorks don't need their shit checked.

Look at Microsoft as an example of this just for starters, then get off your educational high horse.

Re:Other third party site breach

Real conversation from last week:

Consultant: Hey man, you know those turd programmers you just fired rolled their own auth system? It's riddled with security holes. And it's "protecting" access to our juicy important DB that's exposed to the public internet.

CTO: Yeah, I know. No time to deal with that, just leave it.

Re:Other third party site breach

It was LinkedIn.

Re:Other third party site breach

[The-Ixian]

I think they are probably being a little bit more intelligent than you describe.

I was not forced to change my password upon login to GitHub (I just tried). I use unique passwords for all sites.

So, probably what is happening is GitHub got a copy of the account list and started checking passwords against its own db.

Since GitHub knows the encryption methods of its own accounts db, it can run the compromised account list through its encryption process and match the output to user's hashes. They can then flag any accounts with a match.

I'm glad they put security first and foremost.

Good show, GitHub! I am very happy to see that they put security first and foremost.

I do say, it would have been a terrible disaster if somebody had breached the accounts of GitHub users, and done something dastardly like update some of the long-abandoned Rust libraries to actually compile with this week's Rust compiler, or made some badly needed bug fixes to the many JavaScript libraries that the original authors have lost interest in maintaining.

Re:I'm glad they put security first and foremost.

Please, fixing stuff is so old school. If there's a buggy library you publish a new library that sits between the main code and old library. The new library checks the calls and when it sees one that will trigger the bug, you return the proper response if you feel like it. Now every piece of software that uses the old library will require your library and your social achievement badges go from "Made 1 contribution to XYZ" to "Downloaded between 100,000 and a billion times" and "Used by 18 of the top 19 companies in the world".

Bonus points if you leave a bug in your new library and publish a new project to fix that. Get with the times!

Re:I'm glad they put security first and foremost.

Fork the repository, fix the bug, publish your changes. No one is going to stop you.

Attacks are fast and furious

I've been surprised at the amount of intrusion attempts directly related to the Myspace leak, and how quick they started. One of my domains is a letter off from an ISP and its users routinely typo their addresses. I got an alert from HaveIBeenPwned that dozens of accounts on that domain were compromised in the Myspace leak, and the same day, bots started attacking those (non-existing) accounts through SSH and SMTP. The bad guys already have the infrastructure ready to go when a new leak comes out, they just plug in the list of credentials and start trying to login.

Nice, and... please don't screw up the notificatio

Hopefully they just send emails that say: 1. We have reset the password on your account because... hack.... 2. Next time you try to access your account, you will need to use the "reset password" feature

And please please DO NOT send a paypal style message that for security reasonz we need to verify your account, click here and tell us your social.

Whew, not effected.

[UnknownSoldier]

Just logged in and didn't have to reset my password.

I guess they don't say which percentage of accounts were affected.

Re:Whew, not effected.

Just logged in and didn't have to reset my password.

Ya. I just logged into your account too and everything seems fine.

Two factor

[cliffjumper222]

If you aren't using it yet, you should. Indeed, I'd like all sites to enable 2-factor by default. It's not like most folks don't have phones or email accounts.

Re:Two factor

[markus]

Ideally, everybody should enable U2F token support. It is cheap, probably more secure than most other mainstream 2FA options, and you only need a single token no matter how many sites or accounts you want to secure. It's also much easier to use

Re:Two factor

But I don't have them tied to my random online accounts. Not only will the breaches also lose your password, now you'll lose your real and active phone and email addresses. Plus you'll be tracked across every site and every breach. No one knows if the Slashdot user User549 is the same as Reddit user User549, but their same phone number or email will link them.

2-factor is data mining heaven and a marketers wet dream. If you want to hand over the tracking equivalent of your SSN be my guess, but don't force me to do the same. Sure Google can give you multiple phone numbers, but I also don't want Google to have complete records of absolutely everything I do.

How about we look at the real issue? It shouldn't be possible to reuse stolen credentials as they should be uniquely hashed and not the real passwords. You can slowly brute force that with birthday-type attacks, but it won't give you tens of thousands of accounts. Any service that can say your new password is too similar to your old one has poor password security and is at risk if highly damaging breaches.

Re:Two factor

It shouldn't be possible to reuse stolen credentials as they should be uniquely hashed and not the real passwords.

Which solves no problem here.

The problem is lunixonthedesktop@2017.com is using 'iamafuckingretard' for say, both Facebook and midgetdonkeysex.com.

Someone breaches midgetdonkeysex.com, grabs the DB, starts doing that good ol' cracking thing, and figures out that lunixonthedesktop@2017.com's password is iamafuckingretard. Awesome. Now they can go try that e-mail/password combination on other sites, because who gives a fuck about security when it comes to Facebook or Midget Donkey Sex videos?

Re:Two factor

[tepples]

Just because you have a phone doesn't mean it's specifically a cell phone with a plan that includes unlimited incoming SMS. Many authentication services (such as Twitter's) refuse to send messages to landlines' SMS-to-voice gateways, and pay-as-you-go cellular plans in the U.S. market (as opposed to monthly plans) tend to deduct on the order of 10 to 40 cents per sent or received message from the subscriber's balance. The U.S. differs from Europe in that in the U.S., both parties pay their half of airtime charges, whereas in Europe, the sender pays for both halves.

Re:Two factor

[tepples]

Any service that can say your new password is too similar to your old one has poor password security

Unless it requires you to enter your old password in order to set a new password. With both the old and new passwords submitted from the same form, the site's validator can use the Levenshtein edit distance call in many languages' standard libraries or commonly used add-on libraries. I'll admit this doesn't work for resets.

Re:Two factor

I don't have a phone, never will.

A phone is not a valid "second factor" login component. Sorry.

Giving my phone number (if I had one) to an online service is a SECURITY LIABILITY anyway. Just more data to be harvested in a breach.

No. Just no.

Two factor authentication is a load of crap. It is a way to harvest phone numbers (and real identity) from the gullible. My bet is the NSA cooked up this meme (a meme in the real sense of the word, not the new internet definition).

Re:Two factor

mod this bullshit down please

Re:Two factor

[allo]

2-FA prevents reasonable privacy.
Either you need to use your authenticator all the time or you cannot delete your cookies, as the site will see your visit as new visit requiring a new code.
So use a strong password instead.

Re:Two factor

[jittles]

If you aren't using it yet, you should. Indeed, I'd like all sites to enable 2-factor by default. It's not like most folks don't have phones or email accounts.

I can count the number of websites that I care about TFA on two hands. And how many websites out there make you create a username and password to do anything? I have a special email address for those useless sites. And a very weak password. They're not worth the effort.

Re:Two factor

[The-Ixian]

I am with you. The only things I use 2FA for are banking, password manager, Facebook & Google (because I use their authentication system sometimes) and e-mail accounts (and WoW because you get a pet).

Even with those, 2FA is enough of a hassle that I consider removing it sometimes. I certainly do not need every web site I log in to know my phone number.

This isn't new

[golgotha007]

I work for a high-use API site, and I've been seeing these kinds of attacks regularly now for 6 months or more.

Basically, it's a barrage of user/pass attempts coming from hundreds, sometimes thousands of different IP addresses. I wrote custom filters to specifically identify these requests and black-hole them in the nginx proxy. Luckily, we require that 2FA is enabled on all accounts, so nothing seriously at risk,

I urge everyone to use 2FA on all sensitive sites where available. These kinds of attacks are going to become more commonplace.

Re:This isn't new

So are you going to buy me a phone, pay the bill and put your name on the account?

Also, it is not that hard to get a phone in someone else's name.

2FA is bullshit.

Re:This isn't new

[dave420]

You don't need a phone for 2FA. It might help you to understand this before complaining about it.

Targeted users only?

[pahles]

I received an email that there was suspicious activity on my account, urging me to change my password. Since I don't know my password (I use a password manager), I looked it up. I'm 100% sure I have not used this particular password with any other account (it was 'randomly' generated by the password manager), so I guess they have emailed everyone.

Re:Targeted users only?

[The-Ixian]

That is strange. I am in the exact same boat. I looked up my password for GitHub and it was a 24 character random password with symbols.

I logged in and changed it to another similarly long password anyway.

Still, I received no notice and I was not prompted to change my password upon login.