Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

GitHub Exposed Passwords of Some Users

GitHub has instructed some users to reset their passwords after a bug caused internal logs to record passwords in plain text.

GitHub has instructed some users to reset their passwords after a bug caused internal logs to record passwords in plain text.

Several users posted screenshots on Twitter of the security-related email they received from GitHub on Tuesday. The company told impacted customers that the incident was discovered during a regular audit.

GitHub claims only a “small number” of users are affected and the issue has been resolved, but impacted individuals will only regain access to their accounts after they reset their password.

“GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset,” GitHub said.

The company has assured users that the plaintext passwords were never accessible to the public, other GitHub users, and a majority of GitHub staff. While some staff members could have accessed the logs containing the plaintext passwords, GitHub believes it’s “very unlikely” to have happened.

GitHub has highlighted that its systems have not been hacked or compromised in any way.

This is not the first time the Git repository hosting service has asked users to reset their passwords. Back in mid-2016, the company locked some users out of their accounts after malicious actors had started abusing credentials leaked from other online services to log in to GitHub accounts.

The company announced recently that it paid out a total of $166,495 to security researchers who reported vulnerabilities through its bug bounty program last year.

Advertisement. Scroll to continue reading.

Related: GitHub Enforces Stronger Encryption

Related: GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.