GitHub security engineer Shawn Davenport this week announced that an undisclosed number of user accounts were recently compromised via a brute force password-guessing attack that involved the use of nearly 40,000 unique IP addresses (h/t CSO).
Users with compromised accounts have been notified by e-mail, their passwords have been reset, and their personal access tokens, OAuth authorizations and SSH keys have all been revoked.
"Affected users will need to create a new, strong password and review their account for any suspicious activity," Davenport wrote. "This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information."
All users are being advised to review their accounts, ensure that they have strong passwords, and enable two-factor authentication.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Commonly-used weak passwords will be rejected, according to Davenport.