Code repository GitHub warned “a select number of users” today that due to a flaw in its password reset system, the company had stored their passwords in plain text on internal logs.
Servers. Photo: Getty Images
Per BleepingComputer, the site says this security flaw was discovered during “regular auditing” and no one but a small number of GitHub staff should have been able to gain access to the files where the passwords were stored – making this unlike a 2016 incident where someone who had found lists of GitHub logins online had made multiple “unauthorised attempts” to log into accounts, some of which the company said were successful.
Affected users were asked to reset passwords to once again access to their accounts.
“GitHub stores user passwords with secure cryptographic hashes (bcrypt),” an extremely strong encryption algorithm, the site wrote in an email posted by several users. “… GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored securely in production. To note, GitHub has not been hacked or compromised in any way.”
Whoah @github seems having a #users #password issue. Anyone else have received it?
↘ pic.twitter.com/m8ybsanjBP— SwitHak (@SwitHak) May 1, 2018
It isn’t immediately clear how long the issue has been ongoing, though the small number of users impacted suggests that GitHub hasn’t accidentally been logging passwords every time the reset function was used.
A number of high-profile breaches or embarrassing vulnerabilities in recent years have involved customer or user passwords stored in plain text on unsecured servers, including computer systems for Panera Bread, T-Mobile and Saks Fifth Avenue. But for someone to gain access to internal GitHub logs, they would have presumably needed to penetrate other layers of security.
In any case, anyone who happens to have received one of these emails should probably reset their passwords – better safe than sorry – as well as make sure that the potentially compromised one isn’t in use on other sites.