Source hosting service GitHub recently made users aware of a concerted attempt to compromise user accounts via brute-forcing of passwords. While GitHub managed to handle the attack without the world exploding, it has since implemented new measures to prevent future incidents.
GitHub already has two-factor authentication, rate-limiting (which forces a user to wait a short period of time before entering their password after a failed attempt) and a security log feature to help users keep their accounts safe. Unfortunately, without two-factor authentication enabled, it’s possible to brute force a password, given enough time.
In this case, 40,000 unique IP addresses were used to conduct the attack, bypassing any rate-limiting protection and making it very difficult to simply block the source. As a result, those accounts with “weak passwords” quickly fell victim to the assault.
GitHub has since reset passwords, authorisation tokens and SSH keys of the affected accounts. Perhaps the biggest change is preventing users from using “commonly-used weak passwords” to log into their account.
GitHub also plans to work on “additional rate-limiting measures”, though it doesn’t go into specifics.