GitHub says bug exposed some plaintext passwords but urges it wasn't a breach

[ItsMitch]

Source: https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/

GitHub Security sent out a email to a tiny pool of users this morning about a security incident that took place at the company. The incident is reported that passwords that was logged into it's internal logging system was in rare occasions returning passwords in plaintext instead of Bycrpt. GitHub has since resolved the issue and sent out a email to all affected users and making sure they reset their passwords. Github also went to assure users that this information wasn't public and it's not aware that it's employee's have reviewed the passwords. 

Quote

 

GitHub has said a bug exposed some user passwords -- in plaintext. The code repository site, with more than 27 million users as of last year, sent an email to affected users Tuesday. "During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," said the email, received by some users. The email said that a handful of GitHub staff could have seen those passwords -- and that it's "unlikely" that any GitHub staff accessed the site's internal logs. "We have corrected this, but you'll need to reset your password to regain access to your account," the email added. ZDNet reached out to several users who received the email and verified its authenticity.

 

 

Email received - source: me

 

Props to Github for actually letting people know it happened and didn't try to sweep it under the rug. :Clap: to their security and Audit team. 

[Hiitchy]

The difference between an excuse and a reason is accountability. Kudos to them.

[HarryNyquist]

"Secure internal logs" with passwords? Why exactly? Any log entry should just say "User 21857629 changed password at time". No need to include any passwords, plaintext or encrypted.

[mynameisjuan]

2 minutes ago, HarryNyquist said:

"Secure internal logs" with passwords? Why exactly? Any log entry should just say "User 21857629 changed password at time". No need to include any passwords, plaintext or encrypted.

You do know what the definition of a bug is right?

[HarryNyquist]

4 minutes ago, mynameisjuan said:

You do know what the definition of a bug is right?

Oh it does say that doesn't it. Hah. More coffee required