Github recently discovered a distributed brute force password cracking effort. Short version, scammers used a network of 40,000 IP addresses and slow, methodical retries to get around lockout restrictions.

Good news: Github emailed users who were compromised, including some that they could not confirm but suspected were compromised. If you didn’t receive that email, you’re probably ok.

Bad news: They probably tried logging into your account anyway. Check your Github Security page for failed logins (look for user.failed_login). I found one from Indonesia from 3 days ago. A GeoIP lookup tool will give you a botnet world tour.

This is as good a time to repeat password hygiene advice:

• Do not reuse passwords across different sites
• Use strong passwords (12-16+ characters, include symbols and alphanumerics)
• Use a password manager so you don’t have to remember or write down strong passwords. PwSafe is cross-platform, 1Password works well for the Apple ecosystem. There are others, but make sure to use one!
• Use 2 factor authentication for important accounts. I have it for Google, Dropbox, Github. The Google Authenticator app (iOS+Android) and Authy both work well.

Hacker News has a good discussion that covers more angles on this attack and security in general. Here’s an article about why you should not reuse passwords.

Stay safe!