The web hosting development site GitHub reset a number of users’ passwords and revoked a slew of user security authorizations this week following a wave of brute-force attacks.

According to a blog entry by GitHub’s Security Manager Shawn Davenport yesterday, the incident involved login attempts from almost 40,000 distinct IP addresses and was a slow, concerted effort to break into user accounts using multiple passwords.

It’s not known exactly how many accounts were compromised but users with weak passwords and even in some cases those with stronger passwords had their passwords reset and all of their tokens, OAuth authorizations and SSH keys revoked. Affected users were sent an email yesterday requesting they create a stronger password, examine their account for “suspicious activity” and urging them to set up two-factor authentication.

Companies such as Apple, Dropbox, Twitter and Evernote have all added two-factor authentication schemes wherein users enter a numerical code along with a username and password to their products over the past year or so to bolster security.

GitHub claims it’s looking into the attack but in the meantime is working on instituting even more acute rate-limiting measures to curb brute force attacks going forward.

“In addition, you will no longer be able to login to with commonly-used weak passwords,” Davenport notes.

Davenport also took the opportunity to remind GitHub users that the site runs a Security History page for each of its users that logs important events. Launched in October, the feature lets users see a list of active sessions with the ability to remotely revoke them.

Categories: Web Security