Hacker News new | past | comments | ask | show | jobs | submit login
Github seems to be experiencing security issues (github.com/settings)
60 points by sylvainkalache on Nov 19, 2013 | hide | past | favorite | 58 comments

The list of IPs from China (& Indonesia, etc) - that most are seeing on their page - making failed login attempts, looks like a botnet or automated bruteforce on the GitHub authentication service. Hit enough usernames with a dictionary attack and they'll get some accounts. I assume that GH are doing some basic rate-limiting or 'fail2ban' style blacklisting on these attempts.

As anyone who's put an EC2 up without securing it knows, an automated SSH attempt at 'root' will be made within a few hours of it coming online.

Attacks like this are common place on the internet.

What I will take away from this, is that github provides a very nice authentication audit log. I really want every service/app/site to provide this kind of information.

Or attached any box directly to the internet.

This looks like bog standard background noise to me.


I wonder if this is related to the recent Adobe and vBulletin user database breaches. They might be trying those passwords on GH.

Very likely.

We've just added a kill-list of known decrypted passwords and English language words and forced people to reset their passwords who are listed in the adobe breach.

How do you find out that someone's using a known decrypted password on your service?

From here: http://stricture-group.com/files/adobe-top100.txt

We wrote a script that hashed these passwords with the stored salt for each user and compared the result with the stored hashed value. Basically we brute forced everyone's accounts with the dictionary provided. Anyone who was found with an account that was in the dictionary was locked out with forced password change. We changed the password policy before doing this to increase complexity and block dictionary and the decrypted list words. We also force people to change their password every 28 days anyway and keep the last 7 hashed passwords and salts to verify that the user hasn't reused.

We store financial data so it's pretty hardcore auth requirements.

I wonder. I used the same username and password for both Adobe and github. But they were not able to break in.

Of course I changed the password for github now.

I have 14 failed attempts in the last 4 days.

I didn't have an account on either of those websites, but still had 5 failed login attempts.

Seems more like its just background noise and they've just enabled reporting of it. I don't really see the problem everyone should have secure passwords anyway or two factor. If some random botnet can guess your password after < 50 guesses your doing something wrong.

A reply from Zach Holman on twitter confirms that it's an automated attack that they are currently working on mitigating: https://twitter.com/holman/status/402720736650874880

I would strongly suggest people enable two factor authentication: https://github.com/settings/two_factor_authentication/config...

Just one foot note (as I have just taken my own advice and turned it on). Suddenly I couldn't push/pull through the git command line access as it would not accept my password.

Took me a bit to work it out but you need to go here https://github.com/settings/applications and create personal access tokens.

You could try using SSH + keys. I only ever use my password for the site itself.

If you need to store a personal access token in order to pull or push to your own repos, how is two-factor auth any better than a normal account with a secure (ie reasonably long, unique, randomly generated) password?

I use 2FA with GMail and the same question could be asked. The answer is that an application password does not have admin rights to the account. It can be revoked at any time. It traces the breach directly back to a particular application. They are not meant to be memorized but rather to be set and remembered in a particular application which means they can be extremely complex and are by default. I have to think that at least some of this is applicable to GitHub's 2FA.

Your points are good ones for something like GMail (where a single account allows access to many Google services and includes a potentially huge trove of other private data).

For github though, the the repos you have read (or commit if vandalism is the risk) access to are the data in question, so unless you use your github account for other things, I'm still not really seeing the benefit to the end user if you still have to store OAuth tokens everywhere you actually use git.

Can github issue OAuth tokens that are restricted to a specific repo? At least that would prevent a token leak exposing other repos that you had access to.

I just checked my account's security history, and there's been a failed login attempt every 7 hours for the past two days, all from different IP addresses.

It reminds me of the "Hail Mary Cloud" posted previously on HN - http://bsdly.blogspot.com/2013/10/the-hail-mary-cloud-and-le...

Very strange; I just checked my security history and see that there have been 5 unsuccessful login attempts from China/Venezuela to my account (last 14 hours). Everything before that is pretty clean and without fake logins.

Does anyone have more information on this?

I too have the following, which cannot be attributed to me since I was asleep.

  user.failed_login: Originated from 9 hours ago
  user.failed_login: Originated from 11 hours ago 
  user.failed_login: Originated from a day ago
  user.failed_login: Originated from a day ago
  user.failed_login: Originated from a day ago

Same here,

   user.failed_login: Originated from 9 hours ago
   user.failed_login: Originated from 13 hours ago
   user.failed_login: Originated from 17 hours ago 
   user.failed_login: Originated from a day ago 
   user.failed_login: Originated from 2 days ago

Same here,

  user.failed_login: Originated from 9 hours ago
  user.failed_login: Originated from 14 hours ago
  user.failed_login: Originated from 19 hours ago
  user.failed_login: Originated from a day ago
  user.failed_login: Originated from 2 days ago

9 hours ago user.failed_login: Originated from 15 hours ago user.failed_login: Originated from 2 days ago user.failed_login: Originated from 2 days ago user.failed_login: Originated from

I can confirm this.

  user.failed_login: Originated from 2 days ago
  user.failed_login: Originated from 4 days ago

Maybe they've just enabled reporting for failed logins?

If nothing else it would encourage people to care more about their security.

Same here, 5 failed login attempts from Venezuela

I don't get it... this is my own security page which looks normal to me.

[edit] I see one failed login attempt from a chinese IP like other people are saying. Maybe that is what OP meant to point out?

I guess the point is that these auth failures were rare. I've seen 5 failed login attempts in the past 3 days, on an account that had none in its previous two years.

On mine I see 13 different login attempts, in about 8 hours.

user.failed_login: Originated from http://ipinfo.io/ 12 hours ago

user.failed_login: Originated from http://ipinfo.io/ 18 hours ago

user.failed_login: Originated from http://ipinfo.io/ a day ago

user.failed_login: Originated from http://ipinfo.io/ a day ago

user.failed_login: Originated from http://ipinfo.io/ 2 days ago

user.failed_login: Originated from http://ipinfo.io/ 2 days ago

Not sure if it's related to what the OP meant, but I can see 5 failed login attempts from different IP addresses over the past 48 hours (and pretty much none before that).

Why does this page mean GitHub is experiencing security issues?

I didn't know this page existed. Its pretty handy, though I don't like how it shows failed logins. 6 attempts in the past 24 hours unnerves me. Probably trying my email and my use-all password from vBulletin or one of the numerous other sites which have been broken into.

Check your previous history. You probably don't have many failed attempts before the past 24 hours. It seems to be some sort of botnet attack.

It's showing a page of security history. That doesn't mean there is a problem with security. It's just for the curious ones, or the paranoid ones, or those that surf around on suspicious networks or committed something last night and can't remember it at all.

It's just a reality check.

# my $0.02

Hmm, 13 failed attempts for me as well. Glad I have the "Two-factor authentication" On just in case.


I wonder if these failed login attempts are using passwords from the Adobe breach.

I think that is unlikely. The Adobe breach data looked like this:

   84557956-|--|-[redacted]@parponline.org-|-0tlHzKbr18uO6Wu5iaXtPQ==-|-mother's maiden name-Wilson|--
These logins are targeted at usernames. Adobe data didn't contain usernames, hence I don't understand how the Adobe data could help here.


  actor	<redacted>
  created_at	2013-11-18 21:03:47
  note	From GitHub.com
  user	<redacted>

Github users frequently have public email addresses or email addresses on their commits. It is also reasonable to try to match $foo@domain.com with the username $foo.

You can login to github using an e-mail address.

Same here

    6 hours ago user.failed_login: Originated from
    12 hours ago user.failed_login: Originated from
    16 hours ago user.failed_login: Originated from
    a day ago user.failed_login: Originated from
    a day ago user.failed_login: Originated from
    2 days ago user.failed_login: Originated from

Looks like some of the IPs are proxies: http://webcache.googleusercontent.com/search?q=cache:HIFaDGu...

Strangely, I use a unique email for github, like I do with most sites that allow attaching "+comment" to the localpart of email addresses. Are attackers really this sophisticated, or where did they get the list?

Edit: Nevermind, I guess github allows authenticating with a username, in addition to the email.

I count five failed attempts within two days (,, ,, Good to know the password -that I almost manage to forget- is strong enough.

I'm seeing similar failed attempts in my logs as well.

If anyone from GitHub is reading, it would be cool if the failed IP addresses had an approximate location appended to them.

That's only useful if they plan to use location algorithms like banks to detect possible fraud login's. For example banks do basic location tracking to detect fraud, if you mostly shop in New York in a specific area and they suddenly detect a purchase in Canada your bank should block it, I know my bank does and they'll call me within 20 minutes to confirm it was me (enough time for me to call them and authorize it or if I switch to another card, quick enough for me to tell them I'm in Canada for the week.)

Only have one failed login attempt, from Ecuador. Should i be offended ?

Here are my logs from the last two days:



created_at 2013-11-18 14:45:30




created_at 2013-11-18 06:05:01




created_at 2013-11-17 12:55:31




created_at 2013-11-17 12:40:34

  user.failed_login: Originated from 2 days ago

They should provide the password used to attempt to log in too.

That's a security risk in and of itself. Suppose someone has an account named 'bobs'. For whatever reason, they don't notice that they mistyped and put in 'bob' instead. They try a couple times with their correct password, and now the 'bob' user has in their logs someone else's valid password. Said user could then set up very minimal bits of automation to discover, and break in, to that account.

no, they definitely shouldn't, for the same reason they don't store the real passwords in plain text. it would be a terrible security hole.

Sorry for being ignorant, but why is providing the passwords they guess/automate a security issue?

For one, because if someone does find a hole that gives them access to Github data, they'll have all password attempts, which would include typos of the real password. Which is a terrible, terrible thing to store in a hard drive (see Adobe)

For instance (just a quick idea): because if you make a mistake and enter your gmail password instead of your github password, now your gmail password is stored in clear text in their database, opening another can of worms etc.

Someone from Venezuela tried to log in, but failed.

Care to elaborate?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact