A hacker has been breaking into GitHub accounts, purportedly wiping the code repositories and then demanding a ransom in exchange to restore the information.

The attack, which was initially noticed by ZDNet, has hit at least 392 different GitHub repos and defaced them with a ransom note. "To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at [email protected] with your Git login and a Proof of Payment," reads the note.

The attack has also been hitting code repositories on similar services Bitbucket and GitLab. To break in, the hacker has been targeting accounts that either used weak passwords or have had their login credentials leaked over seperate services, the different platforms said.

"At this time, it appears that account credentials of some of our users have been compromised as a result of unknown third-party exposures," GitHub said in a statement. "We are working with the affected users to secure and restore their accounts."

A security researcher at Atlassian, which owns Bitbucket, told Motherboard that as many as 1,000 users could've been hit in the attacks. But it remains unclear if anything of value was actually stolen in the attacks. For instance, many code repositories on GitHub are public. It's also possible the compromised were largely unused, or hosting half-baked projects.

Whether any private code repositories were breached remains unknown. But it doesn't appear that any code was actually deleted. In a security advisory sent on Friday, Bitbucket said it plans on restoring the affected code repositories within the next 24 hours. One victim also claims to have managed to recover the code by "accessing a commit's hash." Affected account holders can learn more here.

GitLab's security director Kathy Wang told PCMag: "We have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository. We strongly encourage the use of password management tools to store passwords in a more secure manner."

"We are still investigating the issue but we found evidence the 'update' scripts in some of the affected repositories hardcoded credentials in an insecure location in the deployed application," she added in an email, which notes that GitLab users can also restore their code repos. More instructions are available here.

According to the hacker's ransom note, victims only have 10 days to pay up the 0.1 Bitcoin ($566) or else the hacker will make the stolen code public or use it for their own ends. But currently, the hacker's Bitcoin address remains essentially empty.

In response to the attack, GitHub, Bitbucket and Gitlab are recommending users activate the two-factor authentication on their accounts for better protection.

Editor's Note: This story has been updated with comment from GitHub and further analysis on the attack's impact, noting that it may have been minimal.

Further Reading