{"id":30271,"date":"2013-11-20T02:53:50","date_gmt":"2013-11-20T10:53:50","guid":{"rendered":"https:\/\/github.blog\/\/2013-11-20-weak-passwords-brute-forced\/"},"modified":"2019-01-04T08:41:50","modified_gmt":"2019-01-04T16:41:50","slug":"weak-passwords-brute-forced","status":"publish","type":"post","link":"https:\/\/github.blog\/news-insights\/the-library\/weak-passwords-brute-forced\/","title":{"rendered":"Weak passwords brute forced"},"content":{"rendered":"<p>Some GitHub user accounts with weak passwords were recently compromised due to a brute force password-guessing attack. I want to take this opportunity to talk about our response to this specific incident and account security in general.<\/p>\n<p>We sent an email to users with compromised accounts letting them know what to do.<br \/>\nTheir passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked. Affected users will need to create a new, <a href=\"https:\/\/help.github.com\/articles\/what-is-a-strong-password\">strong password<\/a> and <a href=\"https:\/\/help.github.com\/articles\/preventing-unauthorized-access\">review their account<\/a> for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information.<\/p>\n<p>Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used.<br \/>\nActivity on these accounts showed logins from IP addresses involved in this incident.<\/p>\n<p>The <a href=\"https:\/\/github.com\/settings\/security\">Security History page<\/a> logs important events involving your account.<br \/>\nIf you had a strong password or GitHub&#8217;s <a href=\"https:\/\/help.github.com\/articles\/about-two-factor-authentication\">two factor authentication<\/a> enabled you may have still seen attempts to access your account that have failed.<\/p>\n<p>This is a great opportunity for you to <a href=\"https:\/\/help.github.com\/articles\/preventing-unauthorized-access\">review your account<\/a>, ensure that you have a <a href=\"https:\/\/help.github.com\/articles\/what-is-a-strong-password\">strong password<\/a> and enable <a href=\"https:\/\/help.github.com\/articles\/about-two-factor-authentication\">two-factor authentication<\/a>.<\/p>\n<p>While we aggressively rate-limit login attempts and passwords are <a href=\"http:\/\/en.wikipedia.org\/wiki\/Bcrypt\">stored properly<\/a>, this incident has involved the use of nearly 40K unique IP addresses. These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly-used weak passwords.<\/p>\n<p>If you have any questions or concerns please <a href=\"https:\/\/github.com\/contact\">let us know<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Some GitHub user accounts with weak passwords were recently compromised due to a brute force password-guessing attack. I want to take this opportunity to talk about our response to this&hellip;<\/p>\n","protected":false},"author":1332,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_gh_post_show_toc":"","_gh_post_is_no_robots":"","_gh_post_is_featured":"","_gh_post_is_excluded":"","_gh_post_is_unlisted":"","_gh_post_related_link_1":"","_gh_post_related_link_2":"","_gh_post_related_link_3":"","_gh_post_sq_img":"","_gh_post_sq_img_id":"","_gh_post_cta_title":"","_gh_post_cta_text":"","_gh_post_cta_link":"","_gh_post_cta_button":"","_gh_post_recirc_hide":"","_gh_post_recirc_col_1":"","_gh_post_recirc_col_2":"","_gh_post_recirc_col_3":"","_gh_post_recirc_col_4":"","_featured_video":"","_gh_post_additional_query_params":"","_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"{title}\n\n{excerpt}\n\n{url}","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_wpas_customize_per_network":false,"jetpack_post_was_ever_published":false,"_links_to":"","_links_to_target":""},"categories":[3321,3338],"tags":[],"coauthors":[],"class_list":["post-30271","post","type-post","status-publish","format-standard","hentry","category-news-insights","category-the-library"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.7 (Yoast SEO v27.7) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Weak passwords brute forced - The GitHub Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Weak passwords brute forced\" \/>\n<meta property=\"og:description\" content=\"Some GitHub user accounts with weak passwords were recently compromised due to a brute force password-guessing attack. I want to take this opportunity to talk about our response to this&hellip;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/\" \/>\n<meta property=\"og:site_name\" content=\"The GitHub Blog\" \/>\n<meta property=\"article:published_time\" content=\"2013-11-20T10:53:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-01-04T16:41:50+00:00\" \/>\n<meta name=\"author\" content=\"Shawn Davenport\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Shawn Davenport\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/weak-passwords-brute-forced\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/weak-passwords-brute-forced\\\/\"},\"author\":{\"name\":\"Shawn Davenport\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/8356f7a2d4acf902a6c8970e5eed8a5c\"},\"headline\":\"Weak passwords brute forced\",\"datePublished\":\"2013-11-20T10:53:50+00:00\",\"dateModified\":\"2019-01-04T16:41:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/weak-passwords-brute-forced\\\/\"},\"wordCount\":286,\"articleSection\":[\"News &amp; insights\",\"The library\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/weak-passwords-brute-forced\\\/\",\"url\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/weak-passwords-brute-forced\\\/\",\"name\":\"Weak passwords brute forced - The GitHub Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#website\"},\"datePublished\":\"2013-11-20T10:53:50+00:00\",\"dateModified\":\"2019-01-04T16:41:50+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/8356f7a2d4acf902a6c8970e5eed8a5c\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/weak-passwords-brute-forced\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/github.blog\\\/news-insights\\\/weak-passwords-brute-forced\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/weak-passwords-brute-forced\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/github.blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News &amp; insights\",\"item\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"The library\",\"item\":\"https:\\\/\\\/github.blog\\\/news-insights\\\/the-library\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Weak passwords brute forced\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/github.blog\\\/#website\",\"url\":\"https:\\\/\\\/github.blog\\\/\",\"name\":\"The GitHub Blog\",\"description\":\"Updates, ideas, and inspiration from GitHub to help developers build and design software.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/github.blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/github.blog\\\/#\\\/schema\\\/person\\\/8356f7a2d4acf902a6c8970e5eed8a5c\",\"name\":\"Shawn Davenport\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dcf2fe3bd2f36ff9235c0a882145bace302d74de5f635a7619a6e2355d1b024d?s=96&d=mm&r=gc94554a930a81ed6c0b3e83212db8c2d\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dcf2fe3bd2f36ff9235c0a882145bace302d74de5f635a7619a6e2355d1b024d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/dcf2fe3bd2f36ff9235c0a882145bace302d74de5f635a7619a6e2355d1b024d?s=96&d=mm&r=g\",\"caption\":\"Shawn Davenport\"},\"sameAs\":[\"https:\\\/\\\/about.me\\\/shawndavenport\"],\"url\":\"https:\\\/\\\/github.blog\\\/author\\\/shawndavenport\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Weak passwords brute forced - The GitHub Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/","og_locale":"en_US","og_type":"article","og_title":"Weak passwords brute forced","og_description":"Some GitHub user accounts with weak passwords were recently compromised due to a brute force password-guessing attack. I want to take this opportunity to talk about our response to this&hellip;","og_url":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/","og_site_name":"The GitHub Blog","article_published_time":"2013-11-20T10:53:50+00:00","article_modified_time":"2019-01-04T16:41:50+00:00","author":"Shawn Davenport","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Shawn Davenport","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/#article","isPartOf":{"@id":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/"},"author":{"name":"Shawn Davenport","@id":"https:\/\/github.blog\/#\/schema\/person\/8356f7a2d4acf902a6c8970e5eed8a5c"},"headline":"Weak passwords brute forced","datePublished":"2013-11-20T10:53:50+00:00","dateModified":"2019-01-04T16:41:50+00:00","mainEntityOfPage":{"@id":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/"},"wordCount":286,"articleSection":["News &amp; insights","The library"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/","url":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/","name":"Weak passwords brute forced - The GitHub Blog","isPartOf":{"@id":"https:\/\/github.blog\/#website"},"datePublished":"2013-11-20T10:53:50+00:00","dateModified":"2019-01-04T16:41:50+00:00","author":{"@id":"https:\/\/github.blog\/#\/schema\/person\/8356f7a2d4acf902a6c8970e5eed8a5c"},"breadcrumb":{"@id":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/github.blog\/news-insights\/weak-passwords-brute-forced\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/github.blog\/"},{"@type":"ListItem","position":2,"name":"News &amp; insights","item":"https:\/\/github.blog\/news-insights\/"},{"@type":"ListItem","position":3,"name":"The library","item":"https:\/\/github.blog\/news-insights\/the-library\/"},{"@type":"ListItem","position":4,"name":"Weak passwords brute forced"}]},{"@type":"WebSite","@id":"https:\/\/github.blog\/#website","url":"https:\/\/github.blog\/","name":"The GitHub Blog","description":"Updates, ideas, and inspiration from GitHub to help developers build and design software.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/github.blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/github.blog\/#\/schema\/person\/8356f7a2d4acf902a6c8970e5eed8a5c","name":"Shawn Davenport","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/dcf2fe3bd2f36ff9235c0a882145bace302d74de5f635a7619a6e2355d1b024d?s=96&d=mm&r=gc94554a930a81ed6c0b3e83212db8c2d","url":"https:\/\/secure.gravatar.com\/avatar\/dcf2fe3bd2f36ff9235c0a882145bace302d74de5f635a7619a6e2355d1b024d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/dcf2fe3bd2f36ff9235c0a882145bace302d74de5f635a7619a6e2355d1b024d?s=96&d=mm&r=g","caption":"Shawn Davenport"},"sameAs":["https:\/\/about.me\/shawndavenport"],"url":"https:\/\/github.blog\/author\/shawndavenport\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pamS32-7Sf","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/30271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/users\/1332"}],"replies":[{"embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/comments?post=30271"}],"version-history":[{"count":0,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/posts\/30271\/revisions"}],"wp:attachment":[{"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/media?parent=30271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/categories?post=30271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/tags?post=30271"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/github.blog\/wp-json\/wp\/v2\/coauthors?post=30271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}