A recent brute force attack took over a number of user accounts,Github explains all in a blog post,
“Some Github user accounts with weak passwords were recently compromised due to a brute force password-guessing attack,” said Shawn Davenport, director of security at Github.
“I want to take this opportunity to talk about our response to this specific incident and account security in general.”
Davenport said that the organisation responded to the attack by contacting all those affected and advising them of what action they should take.
First on its list was not using a weak password. There is other guidance too.
“We sent an email to users with compromised accounts letting them know what to do. Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked.
“Affected users will need to create a new, strong password and review their account for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information,” added Davenport.
“Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used. Activity on these accounts showed logins from IP addresses involved in this incident.”
In all, there were 40,000 IP addresses being used to brute force passwords. A solution to this is being worked on, and commonly used or weak passwords are not welcome.