Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.
“This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,” GitHub said in an advisory published Thursday by Shawn Davenport, GitHub VP of security. “We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.”
GitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.
It warns users that in addition to the exposed credentials, some personal information may have been exposed as well as lists of accessible repositories and organizations.
“If your account was impacted, we are in the process of contacting you directly with information about how to reset your password and restore access to your account,” GitHub said.
The source of credentials used to attack GitHub accounts is unknown. A request for comment from GitHub was not returned in time for publication Github declined to comment beyond what is in its advisory.
In recent weeks, a number of massive online services including Twitter, VerticalScope, LinkedIn, Tumblr, VK.com and others have been informed that login credentials are for sale in bulk on the black market.
Aggregator site LeakedSource has been selling access to its database of breached credentials and more than 700 million credentials have been shared with the site.
“Our intentions are to bring data breaches to light no matter how old, inform consumers about what data is out there, inform consumers to use unique passwords and through our business API directly help companies determine if their users are at risk for account hijacking,” LeakedSource told Threatpost.
VerticalScope, whose technology powers a number of popular online forums, is the most recent victim to come to light. More than 40 million credentials are believe to be implicated, stolen from sites running outdate vBulletin software that fails to implement HTTPS.
“We believe that any potential breach is limited to usernames, userids, email addresses, ip addresses and encrypted passwords of our community users,” VerticalScope said in its advisory.
The VerticalScope data was shared with LeakedSource, which analyzed it and said most of the passwords were salted using the outdated MD5 algorithm and easily crackable. LeakedSource published a top 10 list of the most common passwords and an unusual number of jibberish, complex passwords were included (18atcskd2w was used more on more than 91,000 accounts) indicating that they were likely generated by a bot and used to access the various forums.
In addition to VerticalScope, LeakedSource has analyzed tens of millions of credentials belonging to Twitter, iMesh and users of other large services whose credentials were stolen at some point.
Experts, meanwhile, continue to caution against password reuse. As these breaches show, using the same password to access multiple sites is becoming fodder for attackers compromising one site to use that same access at other locations on the Internet.
“We know that attackers will go for the weakest link and that is any user who reuses their passwords. It’s a major problem,” said Christopher Hadnagy, chief human hacker at security firm Social-Engineer.