The popular code repository site GitHub is reporting a sudden surge in attempted account hijackings. In response, the website has reset compromised passwords and banned the use of common weak passwords.
“While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses,” GitHub explained in an advisory. “These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly used weak passwords.”
Users with weak passwords or accounts that were targeted by hackers will need to select new passwords the next time they log in. GitHub also recommends that all users enable two-factor authentication.