GitHub Presses Big Red Password Reset Button After Third-Party Breach (theregister.co.uk)

← Back to Stories (view on slashdot.org)

GitHub Presses Big Red Password Reset Button After Third-Party Breach (theregister.co.uk)

Posted by msmash on Thursday June 16, 2016 @10:00AM from the security-woes dept.

John Leyden, writing for The Register: GitHub has reset the passwords of users targeted in an attack this week that relied on using stolen credentials from a breach at a third-party site. The software repository itself has not suffered a breach. Hackers behind the assault were trying to break into the accounts of users who had inadvisedly used the same login credentials on an unnamed site that had suffered a breach, as a statement by GitHub explains. GitHub said it had reset the passwords on all affected accounts before beginning the process of notifying those affected. "We encourage all users to practise good password hygiene and enable two-factor authentication to protect your account," GitHub sensibly advised.

20 of 32 comments (clear)

Min score:

Reason:

Sort:

Other third party site breach by Guybrush_T · 2016-06-16 10:06 · Score: 1

Do anyone know which other third-party site was breached ? Or is it just an accumulated database of all historical breaches ..?
1. Re:Other third party site breach by buchner.johannes · 2016-06-16 10:16 · Score: 1
  
  There is http://www.adeptus-mechanicus....
  If companies were smart they would reset and ban all passwords in those lists and the most common password topologies, as listed here and here
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
2. Re:Other third party site breach by sexconker · 2016-06-16 10:34 · Score: 3, Interesting
  
  There was at least one major dump recently. I don't know when the breaches behind that dump occurred or how many of them were. Initial reports were that it was all Linked In's fault. But as far as I know Linked In still denies this. Several sites are resetting passwords for users, issuing alerts, etc. based on the presence of user names in the dumps.
  So it's now gotten to a point where 1 site failing will result in other sites forcing you to change your password as well, because they force you to use an email address as a username and they assume you are reusing passwords. Terrible. Don't make me use an email address as a username, and don't make me reset my unique password because you assume all your users are idiots. ESPECIALLY when you're doing this as a reaction to a suspected third-party breach, where the user's accounts across other sites tied to their email address have been potentially compromised. (Hint: your "I forgot my password" tool sends link or temporary password to the registered email account, which is just as potentially compromised as the account your are trying to protect by forcing a reset.)
3. Re:Other third party site breach by Lumpy · 2016-06-16 12:01 · Score: 1
  
  If companies were smart they would not store any passwords at all but hashes so that breaches would not give hackers a pile of usernames and passwords.
  
  --
  Do not look at laser with remaining good eye.
4. Re:Other third party site breach by Hylandr · 2016-06-16 14:36 · Score: 1
  
  There are more people that write secure code in this world that do not have a cs education than people that have a cs education. I promise you people with a cs education are just as capable of writing shitty insecure code, or using insecure easy to hack passwords. These cs dolts are more dangerous because attitudes like yours lead people to think cs dorks don't need their shit checked.
  Look at Microsoft as an example of this just for starters, then get off your educational high horse.
  
  --
  ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
5. Re:Other third party site breach by The-Ixian · 2016-06-17 04:44 · Score: 1
  
  I think they are probably being a little bit more intelligent than you describe.
  I was not forced to change my password upon login to GitHub (I just tried). I use unique passwords for all sites.
  So, probably what is happening is GitHub got a copy of the account list and started checking passwords against its own db.
  Since GitHub knows the encryption methods of its own accounts db, it can run the compromised account list through its encryption process and match the output to user's hashes. They can then flag any accounts with a match.
  
  --
  My eyes reflect the stars and a smile lights up my face.
I'm glad they put security first and foremost. by Anonymous Coward · 2016-06-16 10:14 · Score: 1

Good show, GitHub! I am very happy to see that they put security first and foremost.
I do say, it would have been a terrible disaster if somebody had breached the accounts of GitHub users, and done something dastardly like update some of the long-abandoned Rust libraries to actually compile with this week's Rust compiler, or made some badly needed bug fixes to the many JavaScript libraries that the original authors have lost interest in maintaining.
Whew, not effected. by UnknownSoldier · 2016-06-16 10:30 · Score: 1

Just logged in and didn't have to reset my password.
I guess they don't say which percentage of accounts were affected.
1. Re:Whew, not effected. by Anonymous Coward · 2016-06-16 11:58 · Score: 1
  
  Just logged in and didn't have to reset my password.
  Ya. I just logged into your account too and everything seems fine.
Two factor by cliffjumper222 · 2016-06-16 11:05 · Score: 2

If you aren't using it yet, you should. Indeed, I'd like all sites to enable 2-factor by default. It's not like most folks don't have phones or email accounts.
1. Re:Two factor by markus · 2016-06-16 11:40 · Score: 1
  
  Ideally, everybody should enable U2F token support. It is cheap, probably more secure than most other mainstream 2FA options, and you only need a single token no matter how many sites or accounts you want to secure. It's also much easier to use
2. Re:Two factor by tepples · 2016-06-16 15:30 · Score: 1
  
  Just because you have a phone doesn't mean it's specifically a cell phone with a plan that includes unlimited incoming SMS. Many authentication services (such as Twitter's) refuse to send messages to landlines' SMS-to-voice gateways, and pay-as-you-go cellular plans in the U.S. market (as opposed to monthly plans) tend to deduct on the order of 10 to 40 cents per sent or received message from the subscriber's balance. The U.S. differs from Europe in that in the U.S., both parties pay their half of airtime charges, whereas in Europe, the sender pays for both halves.
3. Re:Two factor by tepples · 2016-06-16 15:35 · Score: 1
  
  Any service that can say your new password is too similar to your old one has poor password security
  Unless it requires you to enter your old password in order to set a new password. With both the old and new passwords submitted from the same form, the site's validator can use the Levenshtein edit distance call in many languages' standard libraries or commonly used add-on libraries. I'll admit this doesn't work for resets.
4. Re:Two factor by allo · 2016-06-17 00:43 · Score: 1
  
  2-FA prevents reasonable privacy.
  Either you need to use your authenticator all the time or you cannot delete your cookies, as the site will see your visit as new visit requiring a new code.
  So use a strong password instead.
5. Re:Two factor by jittles · 2016-06-17 01:31 · Score: 1
  
  If you aren't using it yet, you should. Indeed, I'd like all sites to enable 2-factor by default. It's not like most folks don't have phones or email accounts.
  I can count the number of websites that I care about TFA on two hands. And how many websites out there make you create a username and password to do anything? I have a special email address for those useless sites. And a very weak password. They're not worth the effort.
6. Re:Two factor by The-Ixian · 2016-06-17 04:49 · Score: 1
  
  I am with you. The only things I use 2FA for are banking, password manager, Facebook & Google (because I use their authentication system sometimes) and e-mail accounts (and WoW because you get a pet).
  Even with those, 2FA is enough of a hassle that I consider removing it sometimes. I certainly do not need every web site I log in to know my phone number.
  
  --
  My eyes reflect the stars and a smile lights up my face.
This isn't new by golgotha007 · 2016-06-16 19:42 · Score: 1

I work for a high-use API site, and I've been seeing these kinds of attacks regularly now for 6 months or more.
Basically, it's a barrage of user/pass attempts coming from hundreds, sometimes thousands of different IP addresses. I wrote custom filters to specifically identify these requests and black-hole them in the nginx proxy. Luckily, we require that 2FA is enabled on all accounts, so nothing seriously at risk,
I urge everyone to use 2FA on all sensitive sites where available. These kinds of attacks are going to become more commonplace.
1. Re:This isn't new by dave420 · 2016-06-17 03:04 · Score: 1
  
  You don't need a phone for 2FA. It might help you to understand this before complaining about it.
Targeted users only? by pahles · 2016-06-17 02:34 · Score: 1

I received an email that there was suspicious activity on my account, urging me to change my password. Since I don't know my password (I use a password manager), I looked it up. I'm 100% sure I have not used this particular password with any other account (it was 'randomly' generated by the password manager), so I guess they have emailed everyone.

--
Sig?
1. Re:Targeted users only? by The-Ixian · 2016-06-17 04:55 · Score: 1
  
  That is strange. I am in the exact same boat. I looked up my password for GitHub and it was a 24 character random password with symbols.
  I logged in and changed it to another similarly long password anyway.
  Still, I received no notice and I was not prompted to change my password upon login.
  
  --
  My eyes reflect the stars and a smile lights up my face.