Confirming that people who should know better are still reusing passwords, attackers have successfully used login credentials stolen from other sites to access GitHub accounts.
The attackers were attempting to log into GitHub accounts using email addresses and passwords obtained from other online services that have been breached recently, GitHub said in a statement. After the company became aware of a large number of unauthorized attempts, it reset the passwords on affected accounts and began notifying users.
"We immediately began investigating and found that the attacker had been able to log in to a number of GitHub accounts," the statement said.
This attack illustrates what frequently happens in the aftermath of a data breach. Online attackers try out email and password combinations exposed in the breach on different services, such as banking, email, and social media sites. The fact that they are invariably successful shows that despite years of warning users to not select the same password across multiple sites, password reuse remains rampant.
Attackers don't need to directly attack a site to break into user accounts. They start with a massive data dump, such as the 2013 Adobe breach that exposed account information for 38 million users, 117 million passwords from LinkedIn's 2012 breach, 360 million credentials from MySpace, and 65 million from Tumblr. There is no shortage of data breaches with passwords compromised, and the attackers only need to run through the lists to find which ones open up other accounts on other sites.
The attacker can then package up the shared credentials and resell it to other buyers as verified lists, much like what happened to Dropbox and Twitter recently. Buyers know the passwords have been tested and confirmed, making these lists more valuable.
GitHub isn't the only company affected by the password reuse attack. Attackers appear to have used stolen passwords from other sites to break into several TeamViewer accounts recently, going so far as to seize remote control of user machines and accessing PayPal accounts.
For a while, there was a sense that it was OK to reuse passwords for "low value" accounts. But what one person may consider low-value can be valuable to someone else.
In the case of GitHub, there's no financial data or personal identifiable information. Unauthorized access to GitHub can have serious implications, though, as the person would be able to access repositories and modify code. The attacker can sneak in malicious code snippets that can be used for other attacks, embed malware, or even build backdoors, and anyone who downloads the latest code is none the wiser. Whoever gets a hold of the GitHub password can cause a lot of damage, not only to the account holder, but to anyone else who uses that code.
GitHub recommended selecting strong, unique passwords, but also advised turning on two-factor authentication. GitHub supports a mobile-phone based authentication app to generate one-time login codes as well as SMS text messages delivering single-use codes. A few months ago, GitHub added support for YubiKey for users who prefer hardware-based authentication.
With so much exposed password data, it's easy for criminals to test stolen credentials against other sites. There is no safe way to reuse passwords. Turn on two-factor authentication wherever possible and use password managers to help generate and store strong and complex passwords.