In an email sent out today, GitHub has warned a select number of users that a bug in its password reset functionality has recorded users' passwords in plaintext format inside the company's internal logs.
The company says that the plaintext passwords have only been exposed to a small number of GitHub employees with access to those logs. No other GitHub users have seen users' plaintext passwords, the company said.
GitHub says that normally, passwords are secure, as they are hashed with the bcrypt algorithm. The company blamed a bug for plaintext passwords ending up in its internal logs. Only users who've recently reset passwords were affected.
The number of affected users is expected to be low. Bleeping Computer has reached out to GitHub for a tally of affected customers, but the company did not respond before this article's publication.
GitHub said it discovered its error during a routine audit and made it clear its servers weren't hacked.
Tens of users shared images of the GitHub emails they've received on Twitter earlier today. Initially, users thought this was a massive phishing campaign, but the messages turned out to come from the real GitHub.
In June 2016, GitHub also sent out password reset emails to customers after an unknown actor tried to access GitHub accounts using passwords leaked online at the time, via the LinkedIn, Dropbox, MySpace, and the other mega breaches of 2016.
The full text of the email GitHub sent out today is available below:
During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system, including yours. We have corrected this, but you'll need to reset your password to regain access to your account. GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time. Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored secure in production. To note, GitHub has not been hacked or compromised in any way. You can regain access to your account by resetting your passwords using the link below:: https://github.com/password_reset