GitHub urged some users to reset their passwords after a problem caused internal logs to record passwords in plain text.
Some users published on Twitter the communication received via email by the company, the incident was discovered during a regular internal audit.
The company immediately clarified that its systems were not hacked and that users’ data are not at risk.
According to GitHub, only a “small number” of users are affected, the company forced them a password reset for their accounts and confirmed to have fixed the problem.
The mail provides details on the problems and explained that user passwords were stored in a secure way.
“GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset,” GitHub said.
The company added that the plaintext passwords were only accessible through internal log files accessible to a small portion of its IT staff, they were not publicly available.
Back in June 2016, the company adopted a similar measure forcing password reset for its customers after it became aware of unauthorized attempts to access a large number of its accounts.
GitHub accounts could represent a mine of information for attackers, in March 2017 threat actors targeted developers having repositories with a data-stealing malware called Dimnie. The malicious code includes keylogging features and modules that capture screenshots, the attackers were searching something of interest among the huge number of projects hosted on the platform.
(Security Affairs – GitHub , password)