今天早上,收到一封来自Github的信,说我的帐号有可疑的活动,建议我修改密码。
Hi @Zola,
We recently noticed some suspicious activity on your GitHub account. Out of an abundance of caution, we made the decision to force a password reset for the account associated with this email address.
This kind of unauthorized access often occurs as a result of reusing the same sign in credentials on multiple online services. An attacker is then able to obtain lists of email addresses and passwords from other online services that have been compromised in the past, and try them on GitHub. To note, GitHub has not been hacked or compromised.
In this particular case, GitHub discovered suspicious starring and watching of repositories during the course of routine anti-spam work. Subsequent investigation revealed suspicious login activity on your account.
Follow the link below to request a password reset token.
https://github.com/password_reset
To protect your account from unauthorized access, please choose a strong and unique password for your account. We have a help article with some recommendations here:
https://help.github.com/articles/creating-a-strong- password/
We also strongly recommend taking the additional step to secure your account with two-factor authentication. The following guide provides step-by-step instructions:
https://help.github.com/articles/configuring-two- factor-authentication-via-a- totp-mobile-app
After you sign in, please review your security history for suspicious or malicious activity.
https://github.com/settings/security
If you have specific concerns you may contact our support team by replying to this message or submitting a message through our contact form.
https://github.com/contact
Thanks,
GitHub Support
我于是去修改了自创建帐号以来就没有修改过的简易密码,也加上了两步验证。然后查看别人盗用我的github帐号做了些什么。
结果人家拿我的帐号去给别人的项目按赞了,这个帐号的主人说莫名其妙一个2000多stars的项目被突然飙升到6000多,我现在看到的是8941,
https://github.com/Konloch/bytecode-viewer
项目主人3天前描述了这个奇怪现象,希望github官方处理了一下,然后我就收到了这封提醒换密码的邮件。
接下来我unstar这个项目。需要提醒的是,这个项目最近新增了近7000按赞者里头,应该都是和我同样的遭遇,都是帐号被盗用。估计有用户数据库泄露,然后某个“纯洁”的家伙不知道拿这些帐号做点什么,只好给别人的项目按个赞。
然后去看了看profile,去看了your stars,sort用recently starred,没有发现更多不认得的项目了。应该是没有被拿去干更多坏事了。
这个故事告诉我们,弱密码迟早会泄露。
两步验证机制告诉我们,密码泄露也不怕,拿了也登录不上。