GitHub Accidentally Stored Some Passwords in Plain Text

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
4,179
Bleeping Computer is reporting that a select number of GitHub users were warned yesterday that due to a flaw in their password reset system, the company had stored their passwords in plain text on internal logs. According to GitHub's email, it's no big deal though because the plain text passwords would have only been exposed to a small number of GitHub employees.

It's getting close to time that we formatted and reinstalled the internet.

In June 2016, GitHub also sent out password reset emails to customers after an unknown actor tried to access GitHub accounts using passwords leaked online at the time, via the LinkedIn, Dropbox, MySpace, and the other mega breaches of 2016.
 

Galvin

2[H]4U
Joined
Jan 22, 2002
Messages
2,695
If only we could start a new internet. Call it internet 2. We can all start fresh.
 

spugm1r3

[H]ard|Gawd
Joined
Sep 28, 2012
Messages
1,153
I'm baffled why the equivalent of hiding the house keys under a flower pot is such a prevalent thing. Given how many times we've heard how successful looking under the flower pot is for thieves, you would think we would at least start keeping the keys in our pocket instead.
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
If it's a public GitHub there's nothing there to hide since it's well, public.
This has nothing to do with people checking in code without removing secrets first. This is the users account password being stored in logs in plain text for the owner of that repo. MFA mitigates the risk of someone taking over your account when companies do insecure shit like this. That's why my git repo security is at the same level as say a bank account.

Plus what if there are private repos in the account as well?
 

heatlesssun

Extremely [H]
Joined
Nov 5, 2005
Messages
44,157
This has nothing to do with people checking in code without removing secrets first. This is the users account password being stored in logs in plain text for the owner of that repo. MFA mitigates the risk of someone taking over your account when companies do insecure shit like this. That's why my git repo security is at the same level as say a bank account.

Plus what if there are private repos in the account as well?
Obviously plain text passwords are never a good thing. If my public GitHub account were hacked, not cool, but as a public thing by nature I don't have personal or private stuff there because by design code in those accounts has to be public. Now if it were a paid, private account, that's a much different matter and should have more security around it.
 
Top