github repository site developers

Casimiro PT/Shutterstock (Licensed)

Github security flaw leaks user passwords to employees

We strongly recommend changing your password.


Phillip Tracy


Published May 2, 2018   Updated May 21, 2021, 4:56 pm CDT

Programmers rely on Github to securely host their open-source software projects. But a recently disclosed bug that exposed passwords may make developers wary of storing their code on the popular repository site.

Featured Video Hide

Github sent an email on Tuesday warning of a glitch in its password reset feature that leaked user passwords in plain text to the company’s internal logs. The site assures passwords were only seen by a small number of employees with access to the logs. They were not released to the public or made available to other users.

Advertisement Hide

Dozens of users posted the email they received to Twitter, though some thought it was a phishing campaign, Bleeping Computer reports.

It was determined the security vulnerability, reportedly discovered during a regular audit, only affects users who recently reset their passwords. Those programmers will be asked to do it again.

The company says the plain text passwords were exposed to a small number of employees with access to the logs. It’s not clear how long the passwords have been leaking, but only a fraction of Github’s 27 million users was affected, suggesting the security flaw formed in the past few weeks.

Advertisement Hide

Github emphasized it had not been the victim of an attack. In June 2016, the software development platform was forced to send out password resets after a bad actor started gaining access to accounts using passwords they had stolen from other compromised sites, like LinkedIn, Dropbox, and MySpace.

In its email to those affected, Github explained it stores passwords with secure “cryptographic hashes (bcrypt),” a powerful encryption algorithm, not plain text. “We use modern cryptographic methods to ensure passwords are stored securely in production.”

Github appears to have fixed the problem. If you received an email from the platform, we strongly recommend you update your password. In fact, you should probably throw it out for good given the chance someone has seen it.

The Daily Dot has reached out to Github and will update this article if we learn more about the bug.

Share this article
*First Published: May 2, 2018, 8:33 am CDT