
Github seems to be experiencing security issues - sylvainkalache
https://github.com/settings/security
======
wgx
The list of IPs from China (& Indonesia, etc) - that most are seeing on their
page - making failed login attempts, looks like a botnet or automated
bruteforce on the GitHub authentication service. Hit enough usernames with a
dictionary attack and they'll get some accounts. I assume that GH are doing
some basic rate-limiting or 'fail2ban' style blacklisting on these attempts.

As anyone who's put an EC2 up without securing it knows, an automated SSH
attempt at 'root' will be made within a few hours of it coming online.

~~~
bergie
I wonder if this is related to the recent Adobe and vBulletin user database
breaches. They might be trying those passwords on GH.

~~~
csmuk
Very likely.

We've just added a kill-list of known decrypted passwords and English language
words and forced people to reset their passwords who are listed in the adobe
breach.

~~~
ValentineC
How do you find out that someone's using a known decrypted password on your
service?

~~~
csmuk
From here: [http://stricture-group.com/files/adobe-
top100.txt](http://stricture-group.com/files/adobe-top100.txt)

We wrote a script that hashed these passwords with the stored salt for each
user and compared the result with the stored hashed value. Basically we brute
forced everyone's accounts with the dictionary provided. Anyone who was found
with an account that was in the dictionary was locked out with forced password
change. We changed the password policy before doing this to increase
complexity and block dictionary and the decrypted list words. We also force
people to change their password every 28 days anyway and keep the last 7
hashed passwords and salts to verify that the user hasn't reused.

We store financial data so it's pretty hardcore auth requirements.

------
notwedtm
A reply from Zach Holman on twitter confirms that it's an automated attack
that they are currently working on mitigating:
[https://twitter.com/holman/status/402720736650874880](https://twitter.com/holman/status/402720736650874880)

------
awjr
I would strongly suggest people enable two factor authentication:
[https://github.com/settings/two_factor_authentication/config...](https://github.com/settings/two_factor_authentication/configure)

~~~
awjr
Just one foot note (as I have just taken my own advice and turned it on).
Suddenly I couldn't push/pull through the git command line access as it would
not accept my password.

Took me a bit to work it out but you need to go here
[https://github.com/settings/applications](https://github.com/settings/applications)
and create personal access tokens.

~~~
pja
If you need to store a personal access token in order to pull or push to your
own repos, how is two-factor auth any better than a normal account with a
secure (ie reasonably long, unique, randomly generated) password?

~~~
300bps
I use 2FA with GMail and the same question could be asked. The answer is that
an application password does not have admin rights to the account. It can be
revoked at any time. It traces the breach directly back to a particular
application. They are not meant to be memorized but rather to be set and
remembered in a particular application which means they can be extremely
complex and are by default. I have to think that at least some of this is
applicable to GitHub's 2FA.

~~~
pja
Your points are good ones for something like GMail (where a single account
allows access to many Google services and includes a potentially huge trove of
other private data).

For github though, the the repos you have read (or commit if vandalism is the
risk) access to _are_ the data in question, so unless you use your github
account for other things, I'm still not really seeing the benefit to the end
user if you still have to store OAuth tokens everywhere you actually use git.

Can github issue OAuth tokens that are restricted to a specific repo? At least
that would prevent a token leak exposing other repos that you had access to.

------
ThatOtherPerson
I just checked my account's security history, and there's been a failed login
attempt every 7 hours for the past two days, all from different IP addresses.

It reminds me of the "Hail Mary Cloud" posted previously on HN -
[http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-
le...](http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-lessons-
learned.html)

------
aram
Very strange; I just checked my security history and see that there have been
5 unsuccessful login attempts from China/Venezuela to my account (last 14
hours). Everything before that is pretty clean and without fake logins.

Does anyone have more information on this?

~~~
dxm
I too have the following, which cannot be attributed to me since I was asleep.

    
    
      user.failed_login: Originated from 139.194.122.85 9 hours ago
      user.failed_login: Originated from 201.210.254.161 11 hours ago 
      user.failed_login: Originated from 201.248.24.177 a day ago
      user.failed_login: Originated from 183.89.77.84 a day ago
      user.failed_login: Originated from 201.211.14.251 a day ago

------
aaronpk
I don't get it... this is my own security page which looks normal to me.

[edit] I see one failed login attempt from a chinese IP like other people are
saying. Maybe that is what OP meant to point out?

~~~
chalst
I guess the point is that these auth failures were rare. I've seen 5 failed
login attempts in the past 3 days, on an account that had none in its previous
two years.

------
sebslomski
user.failed_login: Originated from
[http://ipinfo.io/190.203.225.87](http://ipinfo.io/190.203.225.87) 12 hours
ago

user.failed_login: Originated from
[http://ipinfo.io/186.88.197.206](http://ipinfo.io/186.88.197.206) 18 hours
ago

user.failed_login: Originated from
[http://ipinfo.io/182.253.48.4](http://ipinfo.io/182.253.48.4) a day ago

user.failed_login: Originated from
[http://ipinfo.io/94.134.190.4](http://ipinfo.io/94.134.190.4) a day ago

user.failed_login: Originated from
[http://ipinfo.io/186.94.244.213](http://ipinfo.io/186.94.244.213) 2 days ago

user.failed_login: Originated from
[http://ipinfo.io/109.122.92.52](http://ipinfo.io/109.122.92.52) 2 days ago

------
jibsen
Not sure if it's related to what the OP meant, but I can see 5 failed login
attempts from different IP addresses over the past 48 hours (and pretty much
none before that).

------
SilkRoadie
Why does this page mean GitHub is experiencing security issues?

I didn't know this page existed. Its pretty handy, though I don't like how it
shows failed logins. 6 attempts in the past 24 hours unnerves me. Probably
trying my email and my use-all password from vBulletin or one of the numerous
other sites which have been broken into.

~~~
ThatOtherPerson
Check your previous history. You probably don't have many failed attempts
before the past 24 hours. It seems to be some sort of botnet attack.

------
seg
It's showing a page of security history. That doesn't mean there is a problem
with security. It's just for the curious ones, or the paranoid ones, or those
that surf around on suspicious networks or committed something last night and
can't remember it at all.

It's just a reality check.

# my $0.02

------
mekishizufu
Hmm, 13 failed attempts for me as well. Glad I have the "Two-factor
authentication" On just in case.

[https://github.com/blog/1614-two-factor-
authentication](https://github.com/blog/1614-two-factor-authentication)

------
simonw
I wonder if these failed login attempts are using passwords from the Adobe
breach.

~~~
junto
I think that is unlikely. The Adobe breach data looked like this:

    
    
       84557956-|--|-[redacted]@parponline.org-|-0tlHzKbr18uO6Wu5iaXtPQ==-|-mother's maiden name-Wilson|--
    

These logins are targeted at usernames. Adobe data didn't contain usernames,
hence I don't understand how the Adobe data could help here.

    
    
      user.failed_login
    
      actor	<redacted>
      actor_ip	201.20.72.120
      created_at	2013-11-18 21:03:47
      note	From GitHub.com
      user	<redacted>

~~~
anonymoushn
Github users frequently have public email addresses or email addresses on
their commits. It is also reasonable to try to match $foo@domain.com with the
username $foo.

------
antr
Same here

    
    
        6 hours ago user.failed_login: Originated from 190.237.42.139
        12 hours ago user.failed_login: Originated from 186.91.131.199
        16 hours ago user.failed_login: Originated from 91.226.79.82
        a day ago user.failed_login: Originated from 184.22.105.99
        a day ago user.failed_login: Originated from 190.205.97.211
        2 days ago user.failed_login: Originated from 189.43.19.210

------
matthewbadeau
Looks like some of the IPs are proxies:
[http://webcache.googleusercontent.com/search?q=cache:HIFaDGu...](http://webcache.googleusercontent.com/search?q=cache:HIFaDGufvkcJ:venezuela-
proxy.blogspot.com/2013/11/live-proxy-list-on-
november04-2013.html&client=firefox-a&hl=en&gl=us&strip=1)

------
thezilch
Strangely, I use a unique email for github, like I do with most sites that
allow attaching "+comment" to the localpart of email addresses. Are attackers
really this sophisticated, or where did they get the list?

Edit: Nevermind, I guess github allows authenticating with a username, in
addition to the email.

------
kineticfocus
I count five failed attempts within two days (190.39.254.6, 201.209.39.192,
85.152.192.118 ,186.88.197.41, 190.200.20.207). Good to know the password
-that I almost manage to forget- is strong enough.

------
notwedtm
I'm seeing similar failed attempts in my logs as well.

------
alexchamberlain
If anyone from GitHub is reading, it would be cool if the failed IP addresses
had an approximate location appended to them.

~~~
envygeeks
That's only useful if they plan to use location algorithms like banks to
detect possible fraud login's. For example banks do basic location tracking to
detect fraud, if you mostly shop in New York in a specific area and they
suddenly detect a purchase in Canada your bank _should_ block it, I know my
bank does and they'll call me within 20 minutes to confirm it was me (enough
time for me to call them and authorize it or if I switch to another card,
quick enough for me to tell them I'm in Canada for the week.)

------
nicolsc
Only have one failed login attempt, from Ecuador. Should i be offended ?

------
aniketpant
Here are my logs from the last two days:

user.failed_login

actor_ip 186.93.156.104

created_at 2013-11-18 14:45:30

\---

user.failed_login

actor_ip 180.183.84.109

created_at 2013-11-18 06:05:01

\---

user.failed_login

actor_ip 41.79.65.109

created_at 2013-11-17 12:55:31

\---

user.failed_login

actor_ip 186.93.79.118

created_at 2013-11-17 12:40:34

------
beaker52

      user.failed_login: Originated from 129.49.72.52 2 days ago

------
m4tthumphrey
They should provide the password used to attempt to log in too.

~~~
phpnode
no, they definitely shouldn't, for the same reason they don't store the real
passwords in plain text. it would be a terrible security hole.

~~~
m4tthumphrey
Sorry for being ignorant, but why is providing the passwords they
guess/automate a security issue?

~~~
cscheid
For one, because if someone _does_ find a hole that gives them access to
Github data, they'll have all password attempts, which would include typos of
the real password. Which is a terrible, terrible thing to store in a hard
drive (see Adobe)

------
daGrevis
Someone from Venezuela tried to log in, but failed.

------
animexcom
Care to elaborate?

