If your GitHub password is the same as your password for another online service, it might be time to change it. The project hosting service has warned that someone has been trying to access lots of GitHub accounts. “This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,” GitHub said. “We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.” It then reset the passwords for those accounts and notified users.
GitHub noted that its own security has not been hacked. However, a large set of LinkedIn passwords were recently dumped online, and before that someone put MySpace passwords up for sale. Although GitHub didn’t specifically say so, it seems likely that the attacker was trying out login credentials from one of these data dumps.