[Anubad] FYI. Weak passwords brute forced on Github

[Sankarshan Mukhopadhyay]

<https://github.com/blog/1698-weak-passwords-brute-forced>

Some GitHub user accounts with weak passwords were recently
compromised due to a brute force password-guessing attack. I want to
take this opportunity to talk about our response to this specific
incident and account security in general.

We sent an email to users with compromised accounts letting them know
what to do. Their passwords have been reset and personal access
tokens, OAuth authorizations, and SSH keys have all been revoked.
Affected users will need to create a new, strong password and review
their account for any suspicious activity. This investigation is
ongoing and we will notify you if at any point we discover
unauthorized activity relating to source code or sensitive account
information.

Out of an abundance of caution, some user accounts may have been reset
even if a strong password was being used. Activity on these accounts
showed logins from IP addresses involved in this incident.

The Security History page logs important events involving your
account. If you had a strong password or GitHub's two factor
authentication enabled you may have still seen attempts to access your
account that have failed.

This is a great opportunity for you to review your account, ensure
that you have a strong passwordand enable two-factor authentication.

While we aggressively rate-limit login attempts and passwords are
stored properly, this incident has involved the use of nearly 40K
unique IP addresses. These addresses were used to slowly brute force
weak passwords or passwords used on multiple sites. We are working on
additional rate-limiting measures to address this. In addition, you
will no longer be able to login to GitHub.com with commonly-used weak
passwords.

If you have any questions or concerns please let us know.


-- 
sankarshan mukhopadhyay
<https://twitter.com/#!/sankarshan>