Text of the email:
Recently, a bug in GitHub’s system gave a random unauthorized user access to your private repository data located at:
If a repository listed above was part of a GitHub organization account we are notifying all account owners. Read on for more information about what happened and what GitHub is doing to address the situation.
What happened:
GitHub’s Security team was notified of a potential data exposure incident on Friday, October 21st. This initiated an internal investigation with our Systems and Infrastructure teams. That investigation has determined that for approximately a 10 minute window on Thursday, October 20th, a bug was temporarily introduced in our system that caused our database to incorrectly share database connections across processes, meaning that in rare occasions, one process received the answer to another process's query. The vast majority of these shared connections were harmless, but in 156 cases, the problem allowed one user, who was trying to fetch Git commits from their own repository, to instead be transmitted Git history from a different repository.
Regrettably, in most cases where information leakage occurred, most or all of the repository's entire Git history was transmitted to the unwitting recipient. Here are some additional facts revealed by our investigation, which might help you determine what mitigating measures are appropriate in your case:
- Data was only leaked to paying GitHub customers who were trying to fetch from their own private repositories. There was no leakage of private repository information to users who were trying to access public repositories.
- Users could do nothing to provoke information leakage. The users who received leaked data were not seeking it; they were just normal users going about their work.
- Based on our analysis of the log data, we believe a large percentage of the recipients of leaked data were likely automated systems (e.g. CI build systems), not a human operator.
What you can do:
Please take a moment to check your affected repository. If it contains personal information such as real names, addresses, or other personally identifiable information, you may need to perform your own notification.
If the affected repository contains highly sensitive information such as passwords, tokens, or other credentials, we recommend you consider those secrets to be compromised and to take immediate action to mitigate potential risk and look for signs of misuse after 2016-10-20 22:35:00 UTC.
What we are doing:
Along with sending notifications similar to this one to all customers who had data exposed, we will be reaching out to the users who inadvertently received others’ private data. As part of that outreach, we are requesting they avoid examining said data and take steps to expunge it from their systems as quickly as possible.
We have corrected the bug that caused this incident and are now working on improvements to introduce new safeguards that will help ensure a similar bug will not reoccur in the future. Tomorrow we will be publishing a public, detailed analysis, explaining exactly what happened and what we have done to correct the problem.
While this does not change the fact that your private data was exposed, we will be automatically applying a coupon to your account to cover 100% of the current cost for your GitHub.com service for twelve months.
If you have any questions or concerns about this incident, please don’t hesitate in contacting us. We expect to have our investigation completed soon, but prior to that we are happy to assist in any way we can.
I, and everyone at GitHub, consider the unauthorized exposure of even a single private repository to be a serious failure and we sincerely apologize. It is my hope that we are able to regain your full trust in our service.
Sincerely, Shawn Davenport VP, Security GitHub, Inc.