• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

GitHub Accidentally Stored Some Passwords in Plain Text

R

rgMekanic

[H]ard|News
2FA
Joined
May 13, 2013
Messages
6,942
Bleeping Computer is reporting that a select number of GitHub users were warned yesterday that due to a flaw in their password reset system, the company had stored their passwords in plain text on internal logs. According to GitHub's email, it's no big deal though because the plain text passwords would have only been exposed to a small number of GitHub employees.

It's getting close to time that we formatted and reinstalled the internet.

In June 2016, GitHub also sent out password reset emails to customers after an unknown actor tried to access GitHub accounts using passwords leaked online at the time, via the LinkedIn, Dropbox, MySpace, and the other mega breaches of 2016.
 
If only we could start a new internet. Call it internet 2. We can all start fresh.
 
I'm baffled why the equivalent of hiding the house keys under a flower pot is such a prevalent thing. Given how many times we've heard how successful looking under the flower pot is for thieves, you would think we would at least start keeping the keys in our pocket instead.
 
heatlesssun said:
If it's a public GitHub there's nothing there to hide since it's well, public.
Click to expand...

This has nothing to do with people checking in code without removing secrets first. This is the users account password being stored in logs in plain text for the owner of that repo. MFA mitigates the risk of someone taking over your account when companies do insecure shit like this. That's why my git repo security is at the same level as say a bank account.

Plus what if there are private repos in the account as well?
 
Biznatch said:
This has nothing to do with people checking in code without removing secrets first. This is the users account password being stored in logs in plain text for the owner of that repo. MFA mitigates the risk of someone taking over your account when companies do insecure shit like this. That's why my git repo security is at the same level as say a bank account.

Plus what if there are private repos in the account as well?
Click to expand...

Obviously plain text passwords are never a good thing. If my public GitHub account were hacked, not cool, but as a public thing by nature I don't have personal or private stuff there because by design code in those accounts has to be public. Now if it were a paid, private account, that's a much different matter and should have more security around it.
 
You must log in or register to reply here.
Back
Top