Repository’s own account data not breached, affected passwords reset. On June 14, someone using what appears to have been a list of e-mail addresses and passwords obtained from the breach of “other online services” made a massive number of login attempts to GitHub’s repository service. A review of logins by GitHub’s administrators found that the attacker had gained access to a number of accounts, according to a blog post by Shawn Davenport, Vice President of Security at GitHub.
Davenport said that the passwords of the accounts accessed successfully by the attacker have all been reset. GitHub has begun contacting each affected user individually with instructions on how to get back into their account. He also urged GitHub users to enable two-factor authentication for the service and to “practice good password hygiene”—providing a link to an xkcd comic on password strength to explain.
Davenport didn’t say whether the attack was through the website or through the GitHub API. He also didn’t reveal how many accounts were compromised, though it doesn’t appear that any data was lost. “For some accounts, other personal information including listings of accessible repositories and organizations may have been exposed,” he wrote.