
GitHub accounts leaked [REMOVED] - paxpelus
http://pastebin.com/rXu4G9Nb
======
metafunctor
Looks like the results of brute forcing password hashes. The list only
contains easy passwords.

~~~
paxpelus
Most of the passwords seem easy but you can find some harder passwords in the
list. Examples: ABab12!@, 1ae2T8gogE, nyC27f6cuW, 01j2o8h8n9 and more

~~~
pawadu
01j2o8h8n9 is by no means a secure password

~~~
dozzie
How do you assess that?

~~~
pawadu
at first this looks like 10 letter + digits, so the number of possible
combinations are

    
    
        10 ^(26 + 10) = 10^36
    

But notice that the letters all come from the right half of the keyboard,
which is not that uncommon. So the attacker could have tried

    
    
        10 ^(26/2 + 10) = 10^23
    

passwords, which is really not that secure. But then again, the password
starts with 01 so this would show up very early in an exhaustive search.

And given these characteristics, chances are the hash was already in someones
rainbow tables.

~~~
dozzie
> But notice that the letters all come from the right half of the keyboard

Better yet, now notice that the letters come from a set of four! That reduces
the search space even more!

Ridiculous argument.

~~~
pawadu
> Ridiculous argument.

I beg to differ:

[http://www.ijicic.org/ijicic-10-09032.pdf](http://www.ijicic.org/ijicic-10-09032.pdf)

------
paxpelus
I really suggest if you see your email in this list to change your github
password. I have seen my account in this list along with the name of the
companies I am member of in Github. I tested 3-4 other accounts and all of
them are valid credentials for github.com

------
saasinator
I tested a number of accounts, it's a legit dump. If your email is in there
I'd change your password and anywhere else you re-used the password.

~~~
paxpelus
I am still testing several accounts, more than 90% are legit accounts that
didn't changed password yet. Among the accounts I did find companies such as
Microsoft, General Electric, EpicGames and more.

~~~
pawadu
Kind of off topic, but doesn't github and other big companies use a services
that automatically emails the owner and/or resets their password when their
account information shows up on pastebin?

So why are the accounts still up?

~~~
keyle
I didn't know such service existed. Sounds interesting.

Is there a service monitoring pastebin etc. for an individual's email account?

~~~
pawadu
havent tried it myself:
[https://haveibeenpwned.com](https://haveibeenpwned.com)

------
kruhft
None of my 3 accounts in there.

