June 14, GitHub has undergone numerous intrusion attempts by an attacker in possession of e-mail and password combinations retrieved from the violation of other online services
On June 14 someone in possession of a list of e-mail addresses and passwords obtained from the impairment of various online services has made a massive number of attempts to login to the service GitHub. The security administrator have checked the log of access attempts, by identifying how the attacker was able to gain access to a number of accounts.
You can not know what was the source of e-mail and password combinations, but there is obviously a great likelihood that the network meanders there are at the moment many account credentials retrieved from the database breaches MySpace, Tumblr, LinkedIn and Fling took place in recent months, for a total of more than 642 million accounts. Although many of them even date back to more than three years ago, there is the possibility that they are still used by GitHub users.
Shawn Davenport, Vice President of Security for GitHub, announced that the passwords of the accounts that the attacker could access have already been reset and that the individuals concerned have been contacted individually by providing instructions for account recovery. GitHub has also alerted all users of the service to enable two-factor authentication and perform a review of the password, indicating an xkcd comic that explains what principles to follow to create a strong password.
Davenport has not made clear in his speech on the blog if the attack was carried out via the website or through the GitHub API. It is also not clear what the number of compromised accounts, though it seems there has been a loss of data and information. Obviously, however, the information and data of hijacked accounts may have been stolen.