Basic authentication using a password to the API

Hi,

Once a week I receive this email from github ->

Hi @YannBerry,

On November 10th, 2020 at 10:37 (UTC) you used a password to access an endpoint through the GitHub API using curl:

https://api.github.com/user/orgs

Basic authentication using a password to the API is deprecated and will soon no longer work. Visit https://developer.github.com/changes/2020-02-14-deprecating-password-auth/ for more information around suggested workarounds and removal dates.

Thanks,
The GitHub Team

As far as I’m concerned I don’t use the API. Why do I receive this email ? What should I do ?

Thanks !
Yann

I got that email just today. Assume it is phishing?

I still don’t know. Please tell me if you find a solution :slight_smile:

@YannBerry, @saya7852
The link to 2020-02-14-deprecating-password-auth is a valid GitHub change notification.

The email looks valid (and similar to other users I have seen asking about, it is not asking you to click on any suspicious links.

You should switch to using personal access token, further details here

You mention “As far as I’m concerned I don’t use the API. Why do I receive this email ? What should I do ?”
If that is the case I would change my password immediately (and enable 2FA on my account if not already enabled) as this warning email indicates your password credentials are being used by someone or some process (that you are unaware of) to list organizations for the authenticated user. Any such call will fail once you change your password. It also means that someone/some process could perform other actions as you as they have your password currently.

Yuu can change your password under account settings https://github.com/settings/security
You will also find ‘Sessions’ at this link, this is a list of devices that have logged into your account. Revoke any sessions that you do not recognize.

You could also review https://github.com/settings/applications for installed GitHub Apps / Authorized GitHub Apps / Authorized OAuth Apps, and clean up anything not needed/trusted.

You can also review/monitor your accounts Security log for auditable actions you have not performed

such as
USERNAME – user.failed_login
Failed to login

2 Likes

Thanks for your detailed explanation @byrneh! Suppose nne should not ALWAYS assume anything with a hyperlink as phishing :sweat_smile:

@byrneh Thank you for your detailed answer :slight_smile: