GitHub has warned users to review their password security after mass brute force hacking attempts from some 40,000 IP addresses were launched against accounts.
Attackers targeted accounts with weak passwords and those reused on other sites. It was suggested but not known if the targeted passwords were linked to breaches of vBulletin or Adobe.
GitHub was investigating the attacks, had banned individuals from using common passwords on the site and had "aggressively" rate-limited login attempts.
Security manager Shawn Davenport said it reset affected account passwords and wiped access tokens.
"Their passwords have been reset and personal access tokens, OAuth authorisations, and SSH keys have all been revoked," Davenport said in a blog.
"This investigation is ongoing and we will notify you if at any point we discover unauthorised activity relating to source code or sensitive account information."
It’s an automated attack we’re mitigating. Keep a strong password and 2fa and you should be good.
— Zach Holman (@holman) November 19, 2013
Accounts with login attempts traced to the attacking IP addresses from China, Venezuela and Indonesia also had passwords reset, regardless of the complexity of the access credentials.
Users should enable two factor authentication and ensure they set strong, high entropy passwords.
.jpg&h=140&w=231&c=1&s=0)
