GitHub users may have had their accounts compromised in a brute-force attack that mostly impacted individuals with weak passwords, according to a Tuesday blog post by Shawn Davenport, GitHub director of security.
Affected individuals have had their passwords reset. Additionally, their personal access tokens, OAuth authorizations and SSH keys have been revoked.
Davenport wrote that users with strong passwords may have been compromised and is encouraging people to review their accounts and enable two-factor authentication.
“While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses,” Davenport wrote. Attackers were said to reside in locations including China and Indonesia, according to reports.