Microsoft-owned code hosting platform GitHub said that it has replaced the RSA SSH private key used to secure Git operations for GitHub.com.
The key, the platform said, was briefly exposed in a public GitHub repository and was not leaked following a GitHub compromise. No customer information was impacted, the company says.
According to the software collaboration platform, the key could have been used to impersonate GitHub or eavesdrop on customers’ Git operations over SSH.
“This key does not grant access to GitHub’s infrastructure or customer data,” GitHub said in a Friday announcement.
GitHub also noted that the key was exposed as result of “an inadvertent publishing of private information”.
“We have no reason to believe that the exposed key was abused and took this action out of an abundance of caution,” GitHub said.
With only GitHub.com’s RSA SSH key replaced, no action is required from ECDSA and Ed25519 users. The leak did not impact web traffic to GitHub.com or HTTPS Git operations either.
“We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change,” GitHub said on Friday
The platform also provided instructions on how customers can manually remove the old key and add the new RSA SSH public key. GitHub Actions users may also need to take action.
According to code security platform GitGuardian, the accidental exposure of secrets in public repositories is not surprising. In 2022, the firm found over 10 million new secrets exposed and says that one out of ten committers exposed a secret last year.
“If you have exposed a secret publicly, you are certainly not alone. GitHub serves as a good reminder we must stay vigilant in our security practices, no matter how large our team,” GitGuardian notes.
Related: GitHub Revokes Code Signing Certificates Following Cyberattack
Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery
Related: GitHub Secret Scanning Now Generally Available
More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
