Brute force attack on github

November 19 in the official blog GitHub appeared entry in which it was said that some user accounts using weak passwords were compromised.

The administration calls for the use of two-factor authentication and complex passwords.



On e-mails of accounts whose passwords have been compromised, instructions for further actions have already been sent, access to the repositories has been reset, OAuth and SSH keys have also been neutralized.

According to Shaun Davenport, the search went from about 40,000 unique IP addresses, and it seems that the botnet network was used. GitHub uses the bcrypt algorithm for password hashing, which makes brute force attacks less efficient, since this algorithm itself takes a lot of time to encrypt a password.



In connection with the attack, some restrictions were imposed regarding the frequency of entry into the account and the complexity of the password. In addition, a system for monitoring user activity has been introduced, which analyzes global changes in the repositories and notifies the owners of the changes made. The exact number of hacked accounts has not been disclosed.

')

The list of passwords for which the search was performed:

Password1, Password123, Qwerty123, access14, admin123, bond007, letmein, pa55w0rd, passw0rd, password1, password123 .



Use complex passwords, gentlemen.