I just (8 minutes ago at the moment of posting excluding edits) received spam on an email address that I only ever used for GitHub, and I’m fairly sure that I never attached it to my git commits (for committing I specifically use
email@example.com and blocked it from receiving emails, and website-made GitHub commits show up as
The “To” field in the mail headers is set to a completely different address (someone at a primary school in the Netherlands), but in the mail server logs I can see that the envelope is (rot13’d then base64’d) dHZndWhvLnBiekB5aHB0Ynp6bmFmLmF5, i.e. the email address on my GitHub account. I’ve changed it to something else (involving a csprng) so it can’t be coincidence in the future. At least one other active GitHub account of mine is so far unaffected (I haven’t checked work accounts yet).
This was before registering for
github.community which requires access to my email addresses, so the issue wasn’t here.
The spam was titled
Super intense welcome offer up to €888 and the content was just a big picture, showing some coins, games, a lady, and the whole thing is a clickable link. Of course, this can be different for everyone, but if it’s a similar theme with similar timing and a similar source, then it might be more likely to be the same originating list.
For now, I guess we’ll assume coincidence, and it’ll be hard to find other people who run their own mail server and track this down… but then GitHub is large and for developers, so hopefully anyone else who finds this also finds this thread and can confirm that GitHub / Microsoft has had a data breach.