1. 8

“If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.”

  1. 8

    I mean, go ahead and delete my code - it’s a git repo - I have it all locally.

    And then I read the “We will make your code public or use them otherwise.”

    Even then. Is it bad that doesn’t sound too bad to me?

    I mean, we aren’t storing credentials and other secrets in our repos, right guys? Right?

    1. 5

      Some folks keep private repositories on GitHub.

      So yeah, if you’re just using GitHub as public Git hosting and you don’t rely on their issue tracking, then maybe it’s not such a big deal. But if it’s your startup, it could be devastating. Then again, if that’s the case, you should be using decent passwords and 2FA.

      1. 1

        I’m not familiar with private repos on GitHub - I only have a public one myself.

        Can anyone other than the project owner or GH themselves access it?

        I don’t think this was a very high-effort attack. I think only public repos were scanned for credentials, these were used to impersonate the repo owner, and the code was deleted/made inaccessible and a ransom demand made.

      2. 3

        Even if you were, 10 Days is plenty of time to damage control.

      3. 3

        seems like the “trying common / simple passwords on a lot of accounts” technique is spreading, it started on twitter to steal verified accounts as far as I remember (at least at a large scale).

        maybe one day everybody will either use something like the haveibeenpwned API and/or checking current passwords against top password lists and common substitutions based on context (username, company, etc.).

        1. 3

          I wonder if this is connected to the recent DockerHub leak? GitHub and BitBucket tokens as well as hashed passwords were stolen (unclear which hash algorithm it used AFAIK).