A hacker has been wiping code from GitHub accounts and is demanding a Bitcoin ransom to return the deleted information.

Hundreds of GitHub users found a nasty surprise when they logged into their accounts recently: empty repositories of code.

A hacker has been targeting GitHub accounts and has managed to access at least 392 accounts so far. The hacker deletes the code he or she finds and leaves a Bitcoin ransom demand behind.

Bitcoin demanded for code’s return

Affected users have posted a note from the hacker that reads:

“To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at [email protected] with your Git login and a Proof of Payment.”

The hacker says the stolen code is being stored on their server and has offered to send proof to the victim that they have the data if the victim requests confirmation.

According to the hacker’s ransom demand, victims have 10 days to make the Bitcoin ransom payment or else the code will be made public or be used “otherwise.”

GitHub is not the only site affected. Both GitLab and Bitbucket have reported the same hacks and cryptocurrency ransom demands, with up to 1,000 Bitbucket users being affected.

The Microsoft connection

Bitbucket and GitLab say that their security is not to blame for the attacks. Bitbucket notes the hacker gained access to the user accounts by submitting the proper usernames and passwords.

“We believe that these credentials may have been leaked through another service, as other git hosting services are experiencing a similar attack. We have not detected any other compromise of Bitbucket,” notes a Bitbucket representative.

“We have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository. We strongly encourage the use of password management tools to store passwords in a more secure manner,” added Kathy Wang, the security director for GitLab.

So far, Microsoft has been silent on the entire matter. Microsoft bought GitHub last year for US$7.5 billion.

Just a few days ago, Micky reported that Microsoft had downplayed a hack of the company’s email applications that took place in January. Microsoft initially reported that only items like subject lines and email addresses were stolen, not the actual content of emails.

A few months later, it was realized that the content of emails had been stolen, allowing the hackers to access cryptocurrency accounts and empty them.

As for GitHub, Bitbucket, and GitLab, all may not be lost. Bitbucket says it will restore data sometime today, and one victim reported that they were able to recover their deleted code.

At the time of writing, the hacker’s Bitcoin address only contains 0.00052525 BTC (or about US$3).