GitHub disclosed that hackers stole nearly 100,000 npm user account logins in a mid-April attack that leveraged OAuth application tokens issued to Heroku and Travis-CI. The attackers accessed a 2015 archive of user information that contained nearly 100,000 npm usernames, password hashes, and email addresses. Although hashed passwords are generated with weak hashing algorithms such as salted SHA1 and thus are easy to crack, GitHub from Email verification is automatically enabled for all accounts starting March 1, and attempts to control accounts are automatically blocked. After analyzing and checking the hashes of all npm package versions, GitHub was confident that the attackers did not modify any publicly available packages or upload new versions of existing packages. GitHub reset the passwords of all affected users and sent notifications to affected organizations and users.
This article is reprinted from: https://www.solidot.org/story?sid=71665
This site is for inclusion only, and the copyright belongs to the original author.