In an email sent out today, GitHub has warned a select number of users that a bug in its password reset functionality has recorded users' passwords in plaintext format inside the company's internal logs.

The company says that the plaintext passwords have only been exposed to a small number of GitHub employees with access to those logs. No other GitHub users have seen users' plaintext passwords, the company said.

GitHub says that normally, passwords are secure, as they are hashed with the bcrypt algorithm. The company blamed a bug for plaintext passwords ending up in its internal logs. Only users who've recently reset passwords were affected.

The number of affected users is expected to be low. Bleeping Computer has reached out to GitHub for a tally of affected customers, but the company did not respond before this article's publication.

Plaintext password storage bug found during a routine audit

GitHub said it discovered its error during a routine audit and made it clear its servers weren't hacked.

Tens of users shared images of the GitHub emails they've received on Twitter earlier today. Initially, users thought this was a massive phishing campaign, but the messages turned out to come from the real GitHub.

In June 2016, GitHub also sent out password reset emails to customers after an unknown actor tried to access GitHub accounts using passwords leaked online at the time, via the LinkedIn, Dropbox, MySpace, and the other mega breaches of 2016.

The full text of the email GitHub sent out today is available below: