May 10, 2019

GitHub Accounts Compromised, Attackers Asking For Ransom

GitHub Accounts Compromised, Attackers Asking For Ransom

If you ever wonder how to hack GitHub, maybe you should ask the latest attackers who were asking for a ransom to the users in return of their data on Git. The incident took place on the 2nd of May when GitLab got the first repository wipe-off report with just one ‘WARNING’ commit with a ransom note inside. The note asked targets to send 0.1 BTC (that roughly translates to $568) to a Bitcoin address. If they failed to send the amount, attackers threatened to host their code as public.

In response to the situation, Kathy Wang, GitLab’s Director of Security said on May 3, “We identified the source based on a support ticket filed by Stefan Gabos yesterday, and immediately began investigating the issue. We have identified affected user accounts and all of those users have been notified. As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on deployment of a related repository.”

GitLab’s official post read, “All total, 131 users and 163 repositories were, at a minimum, accessed by the attacker. Affected accounts were temporarily disabled, and the owners were notified.”

Ransom Note By The Attackers

Below is the ransom note left by the attackers:

“To recover your lost data and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we don't receive your payment in the next 10 Days, we will make your code public or use them otherwise.”

According to a Bleeping computer report, “The targets who had their repos compromised use multiple Git-repository management platforms, with the only other connection between the reports besides Git being that the victims were using the cross-platform SourceTree free Git client”, The Bleeping Computer reports. Gitlab, on the other hand, has notified users that the issue will be resolved soon.

A website that tracks Bitcoin addresses, also recorded 27 abuse reports against the address, with the first report coming on May 2.

“When searching for it on GitHub we found 392 impacted repositories which got all their commits and code wiped using the ‘gitbackup‘ account which joined the platform seven years ago, on January 25, 2012. Despite that, none of the victims have paid the ransom the hackers have asked for, seeing that the Bitcoin address received only 0.00052525 BTC on May 3 via a single transaction, which is the equivalent of roughly $2.99”, Bleeping Computer further mentioned.

The company has openly spoken about the issue to prevent targeted users from panicking. “GitHub has been thoroughly investigating these reports, together with the security teams of other affected companies, and has found no evidence or its authentication systems have been compromised. At this time, it appears that account credentials of some of our users have been compromised as a result of unknown third-party exposures,” a Github spokesperson said while speaking to Bleeping Computers.

Notably, this is not the first time that Github security has been compromised. However, GitLab is continuously monitoring the issue. Team Gitlab also recommended all users to empower their Gitlab accounts with two-factor authentication and SSH keys.

Bitbucket users received an email in response to this breach stating, “We are in the process of restoring your repository and expect it to be restored within the next 24 hours. We believe that this was part of a broader attack against several git hosting services, where repository contents were deleted and replaced with a note demanding the payment of ransom. We have not detected any other compromise of Bitbucket. We have proactively reset passwords for those compromised accounts to prevent further malicious activity. We will also work with law enforcement in any investigation that they pursue. We encourage you and your team members to reset all other passwords associated with your Bitbucket account. In addition, we recommend enabling 2FA on your Bitbucket account.”