What does HackerNews think of security?

Raising the bar for software security: GitHub 2FA begins March 13 | Mar 2023

I've just added my 2020 Macbook Air as a security key. It's under "Security keys" in the account security settings [1], just like Yubikeys.

[1] https://github.com/settings/security

Top-500 NPM package maintainers now require 2FA | Jun 2022

Expand Context ↕

On https://github.com/settings/security you can revoke other sessions.

Docker Hub Hacked – 190k accounts, GitHub tokens revoked, Builds disabled | Apr 2019

If you got an email you should:

- Change your password on https://hub.docker.com

- Check https://github.com/settings/security

- Reconnect oauth for Automated Builds

- Roll over effected passwords and API keys stored in private repos / containers

Quick take:

- Password hashes

- Github tokens

- Bitbucket tokens

- Your Automated Builds might need new tokens

Checking my github logs - It looks like they've known about this for at least a full 24 hours. Most people aren't going to have this looked at until Monday which kind of sucks. Hopefully there is more of a postmortem coming.

Is anyone from github able to comment on this as well?

There doesn't seem to be a way for us to tell if a repo was read by these keys over that time period.

On Cybersecurity and Being Targeted | Aug 2016

Expand Context ↕

Maybe a bit too hidden for critical 10 minutes, but the device loggin information is readily available in the Security tab of your Github account:

https://github.com/settings/security

GitHub Security Update: Reused Password Attack | Jun 2016

Expand Context ↕

This is true only if you use SMS for 2FA.

For either method, you can audit the activity of your account on the GitHub security page: https://github.com/settings/security. For example, upon having deliberately got my 2FA token wrong, "user.two_factor_requested" and "user.failed_login" events were logged for me.

Alleged leak of more than 5M Gmail accounts | Sep 2014

Now is a good time to enable two-factor authentication on your accounts. Here is how to do so for some common services:

- Google: https://www.google.com/landing/2step/

- Github: https://github.com/settings/security

- AWS: http://aws.amazon.com/mfa/virtual_mfa_applications

- Facebook: https://www.facebook.com/settings?tab=security

- Twitter: https://twitter.com/settings/security

- Dropbox: https://www.dropbox.com/account/security

- Lastpass: http://helpdesk.lastpass.com/security-options/google-authent...

- More: https://twofactorauth.org/

Weak passwords brute forced | Nov 2013

Expand Context ↕

From a Github email to a friend to whom this happened:

"We have reviewed our logs and it doesn't appear that any actions were taken by the attacker other than to authorize the 'GitHub XRP Giveaway' application against your account.

You should be able to find the OAuth events for that application in your account's security history:

https://github.com/settings/security

We do not believe that the application's authors were responsible for the break-in, rather that the attackers were attempting to game the giveaway.

Ripple's explanation of the giveaway can be found here: https://ripple.com/blog/git-in-the-game-2020-xrp-giveaway-fo...

Github account compromised | Nov 2013

Worth checking https://github.com/settings/security to see if you've seen any failed login attempts that aren't you.

Also recommend enabling 2 factor authentication.

GitHub Security Breach (brute force attack affecting a percentage of users) | Nov 2013

You can check for failed login attempts via this page... https://github.com/settings/security

Recommend enabling 2 factor auth.

CircleCI's incident response | Oct 2013

Expand Context ↕

I would. Although you can see some of that info here: https://github.com/settings/security

Edit: There are also logs for your organization in https://github.com/organizations//setting...

SSH Key Audit on Github (required) | Mar 2012

They also added a audit log so you will be able to track and address any future issues.. https://github.com/settings/security