16 comments

[ 3.2 ms ] story [ 56.7 ms ] thread
I really suggest if you see your email in this list to change your github password. I have seen my account in this list along with the name of the companies I am member of in Github. I tested 3-4 other accounts and all of them are valid credentials for github.com
None of my 3 accounts in there.
Looks like the results of brute forcing password hashes. The list only contains easy passwords.
Most of the passwords seem easy but you can find some harder passwords in the list. Examples: ABab12!@, 1ae2T8gogE, nyC27f6cuW, 01j2o8h8n9 and more
01j2o8h8n9 is by no means a secure password
How do you assess that?
at first this looks like 10 letter + digits, so the number of possible combinations are

    10 ^(26 + 10) = 10^36
But notice that the letters all come from the right half of the keyboard, which is not that uncommon. So the attacker could have tried

    10 ^(26/2 + 10) = 10^23
passwords, which is really not that secure. But then again, the password starts with 01 so this would show up very early in an exhaustive search.

And given these characteristics, chances are the hash was already in someones rainbow tables.

> But notice that the letters all come from the right half of the keyboard

Better yet, now notice that the letters come from a set of four! That reduces the search space even more!

Ridiculous argument.

I tested a number of accounts, it's a legit dump. If your email is in there I'd change your password and anywhere else you re-used the password.
I am still testing several accounts, more than 90% are legit accounts that didn't changed password yet. Among the accounts I did find companies such as Microsoft, General Electric, EpicGames and more.
Kind of off topic, but doesn't github and other big companies use a services that automatically emails the owner and/or resets their password when their account information shows up on pastebin?

So why are the accounts still up?

I didn't know such service existed. Sounds interesting.

Is there a service monitoring pastebin etc. for an individual's email account?

BTW the EpicGames are just people that downloaded UE4 and got access to the github source. They're not actually from Epic.