Ask HN: How did my GitHub password breach and how to react?

9 points by jFriedensreich ↗ HN
I got a 2 way authentication warning from github that someone in canada successfully entered my github password and was stopped by 2 way authentication.

Normally session warnings are business as usual but in this case my password was entered and it was generated by a password manager with high entropy, was only stored in dashlane, 1password and chrome password manager.

A google search for the password had no results and have haveibeenpwned shows no known breach. I have no idea how this could have leaked and what my security status is now. I have some productivity apps on my mac with accessibility permissions to read my clipboard (yippy, zoom, teams, pgp), but i am not sure i have to assume one of these apps is compromised and wipe my whole machine.

Does anyone have any ideas about breaches not in haveibeenpwned or what a reasonable response would be or could chime in what they would do? I know in theory i would need to wipe my machine and then change all my passwords wich would take weeks, but i am not sure this is an overreaction.

1 comment

[ 2.2 ms ] story [ 6.7 ms ] thread
update in case anyone stumbles across this later: the software that caused the issue has been identified and was related to one of my clients product code, no browser extension, mentioned mac utility application or phishing attack was the cause.

my takeaways:

- non sms 2FA is obligatory everywhere no exception

- password expiration after one year makes sense and can help finding breaches much faster

- applications should have an enforceable field to attach a note to a new session for finding possible breach source or remembering legitimate access that is further in the past

- passwords are stupid and should be replaced in general