Github recently discovered a distributed brute force password cracking effort. Short version, scammers used a network of 40,000 IP addresses and slow, methodical retries to get around lockout restrictions.
Good news: Github emailed users who were compromised, including some that they could not confirm but suspected were compromised. If you didn’t receive that email, you’re probably ok.
Bad news: They probably tried logging into your account anyway. Check your Github Security page for failed logins (look for user.failed_login). I found one from Indonesia from 3 days ago. A GeoIP lookup tool will give you a botnet world tour.
This is as good a time to repeat password hygiene advice:
- Do not reuse passwords across different sites
- Use strong passwords (12-16+ characters, include symbols and alphanumerics)
- Use a password manager so you don’t have to remember or write down strong passwords. PwSafe is cross-platform, 1Password works well for the Apple ecosystem. There are others, but make sure to use one!
- Use 2 factor authentication for important accounts. I have it for Google, Dropbox, Github. The Google Authenticator app (iOS+Android) and Authy both work well.
Hacker News has a good discussion that covers more angles on this attack and security in general.