GitHub Exposed Passwords of Some Users
GitHub has instructed some users to reset their passwords after a bug caused internal logs to record passwords in plain text. Several users posted screenshots on Twitter of the security-related email they received from GitHub on Tuesday. The company told impacted customers that the incident was discovered during a regular audit.
GitHub claims only a "small number" of users are affected and the issue has been resolved, but impacted individuals will only regain access to their accounts after they reset their password. "GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset," GitHub said.
The company has assured users that the plaintext passwords were never accessible to the public, other GitHub users, and a majority of GitHub staff. While some staff members could have accessed the logs containing the plaintext passwords, GitHub believes it's "very unlikely" to have happened. GitHub has highlighted that its systems have not been hacked or compromised in any way.
This is not the first time the Git repository hosting service has asked users to reset their passwords. Back in mid-2016, the company locked some users out of their accounts after malicious actors had started abusing credentials leaked from other online services to log in to GitHub accounts. The company announced recently that it paid out a total of £166,495 to security researchers who reported vulnerabilities through its bug bounty program last year.
Related: GitHub Enforces Stronger Encryption