GitHub is experiencing an increase in user account hijackings that's being fueled by a rash of automated login attempts from as many as 40,000 unique Internet addresses.

The site for software development projects has already reset passwords for compromised accounts and banned frequently used weak passcodes, officials said in an advisory published Tuesday night. Out of an abundance of caution, site officials have also reset some accounts that were protected with stronger passwords. Accounts that were reset despite having stronger passwords showed login attempts from the same IP addresses involved in successful breaches of other GitHub accounts.

"While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses," Tuesday night's advisory stated. "These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly used weak passwords."

The attack comes a few weeks after recent high-profile hacks on Adobe, MacRumors, and vBulletin have exposed huge numbers of account credentials. It's possible the infusion of so many newly compromised records is at least in part what's fueling the attack on GitHub, although the advisory made no reference to them.

To the strong credit of GitHub, the site said it uses the bcrypt algorithm to cryptographically hash passwords. Use of bcrypt and other slow hashes dramatically increases the time and resources required to crack passwords in the event they are ever obtained by hackers. Such "offline" cracks differ from the online attacks described in the advisory, however.

GitHub provides a security history page that logs important events involving a user's account. The advisory suggested users review their accounts, ensure they have a strong password, and enable two-factor authentication.