Read more at the official source: GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs
Read more at the official source: GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs
I heard about this the other day when a friend of mine told me that he had an e-mail from GitHub about this... unluckily for him, he was one of the people who's password was left in plain-text.
Thankfully mine wasn't.
Let this be a lesson for those who do not use different passwords for different services though. GitHub are a reputable service of course, and I trust them personally, however it is important to remember that if someone can access your password in plain-text, unless you are using a different password for different accounts on different services, they could then compromise all of your accounts just from having that one password. It is really important to stress this because I know people who have blatantly ignored practices such as using different passwords for different services, and I have then witnessed them eventually wish they hadn't have re-used the same password.
For those who use a lot of services and are unable to remember different passwords which are also "secure" (and by "secure" I am referring to having a lot of characters, a combination of upper/lower case characters, numbers without a sequence and special characters), I recommend a good password manager. There's many available and with some trial and error you should be able to find one that works for you; at-least this way you can enforce safe passwords on different services, and also not re-use them more than once.
As a final note, I recommend changing your password every few months at a minimum. Breaches happen all of the time, and some companies may hide it up for years before you find out the truth (as we've seen in the past). If you at-least reset your password every few months, you would be doing yourself a favor. Resetting it every month would be even safer in my opinion.
There's a service out there which does let you check if your password has been in a proper leak dump, while it won't be 100% reliable since it will be relying on dumps the developers are aware of, it is better than nothing and does work well. You can find it here: Have I Been Pwned: Check if your email has been compromised in a data breach
Remember that this isn't to do with the GitHub situation, the passwords which were in plain-text were not leaked nor seen by anyone except a few GitHub staff who worked on identifying and solving the issue. All of this is simply as a reminder/guidance for those who do not already have good password security practices. If you want to be safe online, you have to keep yourself safe.
Thankfully mine wasn't.
Let this be a lesson for those who do not use different passwords for different services though. GitHub are a reputable service of course, and I trust them personally, however it is important to remember that if someone can access your password in plain-text, unless you are using a different password for different accounts on different services, they could then compromise all of your accounts just from having that one password. It is really important to stress this because I know people who have blatantly ignored practices such as using different passwords for different services, and I have then witnessed them eventually wish they hadn't have re-used the same password.
For those who use a lot of services and are unable to remember different passwords which are also "secure" (and by "secure" I am referring to having a lot of characters, a combination of upper/lower case characters, numbers without a sequence and special characters), I recommend a good password manager. There's many available and with some trial and error you should be able to find one that works for you; at-least this way you can enforce safe passwords on different services, and also not re-use them more than once.
As a final note, I recommend changing your password every few months at a minimum. Breaches happen all of the time, and some companies may hide it up for years before you find out the truth (as we've seen in the past). If you at-least reset your password every few months, you would be doing yourself a favor. Resetting it every month would be even safer in my opinion.
There's a service out there which does let you check if your password has been in a proper leak dump, while it won't be 100% reliable since it will be relying on dumps the developers are aware of, it is better than nothing and does work well. You can find it here: Have I Been Pwned: Check if your email has been compromised in a data breach
Remember that this isn't to do with the GitHub situation, the passwords which were in plain-text were not leaked nor seen by anyone except a few GitHub staff who worked on identifying and solving the issue. All of this is simply as a reminder/guidance for those who do not already have good password security practices. If you want to be safe online, you have to keep yourself safe.
Similar threads
