One of my repo's was wiped today and just a message left in its place with a bitcoin ransom. I've no idea how they accessed my account, can't really see anything on github security page.

The domain of the email they want me to contact was only created today, google brings nothing up, also seems like a fresh bitcoin address as google returns nothing for it.

They only wiped one repo and there's like 50+ which makes me think they never accessed my account directly and possible from a server where i had cloned the repo to, or it was a targeted attack and they knew exactly what they were after.

Is there anyway to check if my other repos have been accessed recently and cloned? they're all set to private.

I'm at a bit of a loss just now as what to do, 2 factor has been turned on in github, the main server where the code was used I've removed unused scripts etc changed passwords, currently building a new server droplet and moving everything as a precaution in case the server was accessed.

This code was still in beta, although we have about 50 customers using it. And there's a few instances during development just because of the sheer lack of time I've went for the old security through obscurity... So this will have a direct impact on my customers.

Anyone got any input, how i can try track back the source of this, find out how they got access in the first place?

Just checked the last commit details,

WARNING gitbackup

gitbackup committed 4 hours ago

All history of commits and all code is gone.

Update: Bitcoin address and email are starting to surface on google with reports of similar incidents, at least I know now its random and not targeted.

Response from Github

Github Got back to me today with a pretty standard response.

We recently noticed some suspicious activity on your GitHub account that suggests an attacker may have logged in, downloaded, and maliciously modified certain repositories, listed below. Out of an abundance of caution, we made the decision to force a password reset for the account associated with this email address. We have no reason to believe that GitHub has been hacked or compromised.

This kind of unauthorized access often occurs as a result of credential reuse across multiple online services. An attacker is then able to obtain lists of email addresses and passwords from other online services that have been compromised in the past, and try them on GitHub.

Repositories suspected of takeover:

xxxx

If you have a local copy of the repository, force pushing it to GitHub should restore the repository to its previous state. If you do not have a local copy, please contact our Support team at the email address below in order to request help.