上周国外多家媒体报道,在 Github 内部的日志系统中,部分用户的密码以明文的形式暴漏给了内部员工。
经整理,事件始末如下: Github 上周二向部分用户发送了一封电子邮件,通知由于密码重置功能出现故障,导致其内部日志明文记录了某一时间段用户在进行密码重置时的密码。目前 Bug 已修复,但这一部分的用户需要再次重置密码才能访问帐户。 邮件中,GitHub 还表示这些密码大多数 GitHub 员工是无法访问的,更不会被公众或其他 GitHub 用户访问到。GitHub 不会故意以明文格式存储密码,也没有被黑客入侵或以任何方式泄密。 邮件全文如下: During
the course of regular auditing, GitHub discovered that a recently
introduced bug exposed a small number of users' passwords to our
internal logging system, including yours. We have corrected this, but
you'll need to reset your password to regain access to your account. GitHub
stores user passwords with secure cryptographic hashes (bcrypt).
However, this recently introduced bug resulted in our secure internal
logs recording plaintext user passwords when users initiated a password
reset. Rest assured, these passwords were not accessible to the public
or other GitHub users at any time. Additionally, they were not
accessible to the majority of GitHub staff and we have determined that
it is very unlikely that any GitHub staff accessed these logs. GitHub
does not intentionally store passwords in plaintext format. Instead, we
use modern cryptographic methods to ensure passwords are stored secure
in production. To note, GitHub has not been hacked or compromised in any
way. You can regain access to your account by resetting your passwords using the link below:: https://github.com/password_reset
最初,许多用户在收到邮件后以为这是一个大规模的网络钓鱼攻击,并在 Twitter 上晒起了截图。之后才确定是官方发送的邮件,也因此引起了许多媒体的关注和报道。
更多关于此事件的详细报道请看国外媒体:gizmodo、zdnet、whatsnew2day | 
