

Github account compromised - runninggee
http://pastebin.com/E3LPmduh

======
andydev
Worth checking
[https://github.com/settings/security](https://github.com/settings/security)
to see if you've seen any failed login attempts that aren't you.

Also recommend enabling 2 factor authentication.

~~~
jlgaddis
Indeed, I've got failed login attempts from four different IP addresses
(115.127.35.4, 183.96.115.54, 186.89.119.140, and 190.73.143.216) over the
last two days.

~~~
runninggee
190.206.118.221, 61.247.35.20, 201.243.203.209, 190.204.171.95,
190.36.181.198, 213.163.72.224 were the IPs that hit me. But yes, only for the
last 3 days and there's no way they guessed my password in 5 attempts, unless
someone's decrypted the Adobe document

------
briandoll
We just posted more details on this incident:
[https://github.com/blog/1698-weak-passwords-brute-
forced](https://github.com/blog/1698-weak-passwords-brute-forced)

------
nilved
I got this email too, which I found to be really lacking in detail. I asked
for more info and will post their response if its applicable.

There's literally no way my password was brute forced unless the adversary
built a quantum computer, so I think this indicates that GitHub was attacked
as opposed to the users directly.

------
olefoo
Sounds like Github is doing the right thing. Detecting your account is
compromised and forcing a reset of credentials.

It does sound like they might need to up their game on traffic monitoring,
since how did the attacker get enough tries to brute force even a simple
password? But that's why it's an arms race.

~~~
nilved
No, it'd be the right thing if they didn't get hacked to begin with. This is
_GitHub_ being bested by _brute force_.

~~~
AdamGibbins
How do you reasonably protect from brute force? Other than enforcing secure
passwords.

You block IPs that make too many fail attempts - you block an entire NAT range
i.e. schools. Kids like to troll each other.

Alternatives?

~~~
nilved
GitHub has rate limiting in place (for user logins), as it demonstrated when
it counter-intuitively locked me out of my own account while I tried to regain
access. The fact that multiple accounts were compromised through this attack
(despite their rate limiting) and that it would be literally impossible to
guess my password sans quantum computing indicates _their_ password was
compromised, not the password of any affected account. The solution is for
them to use proper password security.

------
AdamGibbins
GitHub have two factor authentication - why're you not using it?

~~~
nilved
With a secure password and secure browsing habits, I shouldn't need to. I
shouldn't need to inconvenience myself like that to accomodate for the host's
poor security.

~~~
jclos
Honestly depending on what you use Github for, 2-factor authentication is a
pretty minor inconvenience compared to the loss of the account.

