GitHub admitted to record some Plaintext Passwords in Its Internal Logs
According to bleepingcomputer report, GitHub recently admitted that due to mistakes, some users’ passwords were exposed in plaintext. GitHub is the world’s largest code hosting platform. By the end of last year, GitHub had 27 million users. GitHub recently sent an email to affected users requesting them to change their passwords.
According to GitHub’s instructions, they discovered a loophole in GitHub during a periodic audit that exposed a small number of users’ passwords through an internal logging system. GitHub said that only a few GitHub employees can see this part of the password, and said that GitHub internal employees are unlikely to visit the internal log of the site.
Whoah @github seems having a #users #password issue. Anyone else have received it?
↘ pic.twitter.com/m8ybsanjBP— SwitHak (👁) (@SwitHak) May 1, 2018
It is understood that GitHub has already dealt with this issue, but the affected users need to reset the password in order to regain access to the account. It is not yet known how many people affected by this vulnerability in GitHub, and it is unclear why the vulnerability is caused by what.
GitHub’s explanation is that it uses bcrypt (a stronger password hashing algorithm) to store the user’s password, but the error “causes our secure internal log to record the clear-text user password when the user initiates a password reset.”
Previously, Twitter had similarly stupid mistakes. However, in June 2016, GitHub issued password modification and reset prompts. At that time, users used other software’s username and password to crash GitHub.
