Connect with us

Hi, what are you looking for?


Incident Response

Gentoo Publishes Incident Report After GitHub Hack

Gentoo GitHub account hacked

Gentoo GitHub account hacked

Maintainers of the Gentoo Linux distribution published an incident report on Wednesday after someone hijacked one of the organization’s GitHub accounts and planted malicious code.

The attack started on June 28 and the hacker (or hackers) not only changed content in compromised repositories, but also locked out Gentoo developers from the targeted GitHub account. This made the attack “loud” – Gentoo believes the hackers could have maintained access longer had they been quieter.

GitHub could not be used by Gentoo for a total of five days as a result of the incident. The breach also led to a disruption of the Gentoo Proxy Maintainers Project as it uses GitHub to submit pull requests, and all past pull requests were disconnected from their original commits.

The attacker also attempted to wipe users’ files by adding “rm-rf” to some repositories, but Gentoo believes this method was unlikely to work due to “various technical guards.”

The GitHub account was compromised after the hacker gained access to an admin account that had a predictable password.

“Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages,” Gentoo wrote in its incident report.

The incident report summarizes the lessons learned by Gentoo following the incident and the actions taken or planned in response. These actions include making frequent backups, requiring the use of two-factor authentication (2FA) and introducing support for hardware-based 2FA, reducing the number of users with elevated privileges, auditing logins, publishing password policies, and suggesting the use of password managers.

Gentoo is also working on an incident response plan, particularly for sharing information about a security incident with users.

Advertisement. Scroll to continue reading.

The maintainers of the Linux distribution believe the breach has been contained and restored the impacted GitHub page.

Related: Compromised GitHub Account Spreads Malicious Syscoin Installers

Related: Hackers Can Use Git Repos for Stealthy Attack on Developers

Related: GitHub Exposed Passwords of Some Users

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights