HACKER Q&A
📣 jFriedensreich

How did my GitHub password breach and how to react?


I got a 2 way authentication warning from github that someone in canada successfully entered my github password and was stopped by 2 way authentication.

Normally session warnings are business as usual but in this case my password was entered and it was generated by a password manager with high entropy, was only stored in dashlane, 1password and chrome password manager.

A google search for the password had no results and have haveibeenpwned shows no known breach. I have no idea how this could have leaked and what my security status is now. I have some productivity apps on my mac with accessibility permissions to read my clipboard (yippy, zoom, teams, pgp), but i am not sure i have to assume one of these apps is compromised and wipe my whole machine.

Does anyone have any ideas about breaches not in haveibeenpwned or what a reasonable response would be or could chime in what they would do? I know in theory i would need to wipe my machine and then change all my passwords wich would take weeks, but i am not sure this is an overreaction.

  👤 gostsamo Accepted Answer ✓
You might've been fished with a fake site to provide the gh password while the attacker didn't expect that you have 2fa enabled. Alternatively, a badchrome extension, but it would've stolen much more like session cookies and the like. I'm not sure about 1password dashlane, but, and the rest.

What is your thread model? Who would like to hack you and what access would they gain? Act according to that.

👤 jFriedensreich
update in case anyone stumbles across this later: the software that caused the issue has been identified and was related to one of my clients product code, no browser extension, mentioned mac utility application or phishing attack was the cause.

my takeaways:

- non sms 2FA is obligatory everywhere no exception

- password expiration after one year makes sense and can help finding breaches much faster

- applications should have an enforceable field to attach a note to a new session for finding possible breach source or remembering legitimate access that is further in the past

- passwords are stupid and should be replaced in general

👤 surprisetalk
I'm so sorry to hear you're going through this. I got hacked a few years ago through a SIM swap attack, and it feels terrible being violated like that.

This does not sound like an overreaction.

I would personally (1) wipe my machine and (2) reset all my passwords. I'd be very selective about which tools I reintroduce into my workflow.

👤 jFriedensreich
so i found out the attacker most probably used a compromised host from www.ovh.com as jump host.