GitHub saved plaintext passwords of npm users in log files, post mortem reveals

2022-05-27 12:15

GitHub has revealed it stored a "Number of plaintext user credentials for the npm registry" in internal logs following the integration of the JavaScript package registry into GitHub's logging systems.

The code shack went on to assure users that the relevant log files had not been leaked in any data breach; that it had improved the log cleanup; and that it removed the logs in question "Prior to the attack on npm."

GitHub already sent out notifications for "Known victims of third-party OAuth token theft" in April but today said it planned to "Directly notify affected users of the plaintext passwords and GitHub Personal Access Tokens based on our available logs."

GitHub completed its acquisition of NPM Inc on 15 April 2020.

The hashed passwords do present a problem since the hashes were generated using PBKDF2 or salted SHA1 algorithms, according to GitHub.

GitHub celebrated the publication of its findings by doing that most secure of things: falling over so users couldn't get access this morning.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/27/github_publishes_a_post_mortem/

#github #NPM #plaintext

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Github		13	2	45	30	19	96