GitHub Presses Big Red Password Reset Button After Third-Party Breach

John Leyden, writing for The Register: GitHub has reset the passwords of users targeted in an attack this week that relied on using stolen credentials from a breach at a third-party site. The software repository itself has not suffered a breach. Hackers behind the assault were trying to break into the accounts of users who had inadvisedly used the same login credentials on an unnamed site that had suffered a breach, as a statement by GitHub explains. GitHub said it had reset the passwords on all affected accounts before beginning the process of notifying those affected. "We encourage all users to practise good password hygiene and enable two-factor authentication to protect your account," GitHub sensibly advised.

Re:Other third party site breach

[sexconker]

There was at least one major dump recently. I don't know when the breaches behind that dump occurred or how many of them were. Initial reports were that it was all Linked In's fault. But as far as I know Linked In still denies this. Several sites are resetting passwords for users, issuing alerts, etc. based on the presence of user names in the dumps.

So it's now gotten to a point where 1 site failing will result in other sites forcing you to change your password as well, because they force you to use an email address as a username and they assume you are reusing passwords. Terrible. Don't make me use an email address as a username, and don't make me reset my unique password because you assume all your users are idiots. ESPECIALLY when you're doing this as a reaction to a suspected third-party breach, where the user's accounts across other sites tied to their email address have been potentially compromised. (Hint: your "I forgot my password" tool sends link or temporary password to the registered email account, which is just as potentially compromised as the account your are trying to protect by forcing a reset.)