Did anyone else get spam on a GitHub-specific email address?

I just (8 minutes ago at the moment of posting excluding edits) received spam on an email address that I only ever used for GitHub, and I’m fairly sure that I never attached it to my git commits (for committing I specifically use git-client@lgms.nl and blocked it from receiving emails, and website-made GitHub commits show up as lgommans@users.noreply.github.com).

The “To” field in the mail headers is set to a completely different address (someone at a primary school in the Netherlands), but in the mail server logs I can see that the envelope is (rot13’d then base64’d) dHZndWhvLnBiekB5aHB0Ynp6bmFmLmF5, i.e. the email address on my GitHub account. I’ve changed it to something else (involving a csprng) so it can’t be coincidence in the future. At least one other active GitHub account of mine is so far unaffected (I haven’t checked work accounts yet).

This was before registering for github.community which requires access to my email addresses, so the issue wasn’t here.

The spam was titled Super intense welcome offer up to €888 and the content was just a big picture, showing some coins, games, a lady, and the whole thing is a clickable link. Of course, this can be different for everyone, but if it’s a similar theme with similar timing and a similar source, then it might be more likely to be the same originating list.

For now, I guess we’ll assume coincidence, and it’ll be hard to find other people who run their own mail server and track this down… but then GitHub is large and for developers, so hopefully anyone else who finds this also finds this thread and can confirm that GitHub / Microsoft has had a data breach.

:wave: Welcome to the community!

We’re certainly not aware of any breaches. If, however, you have a Google search for that email address, I found one of yours posted publicly in an issue for a popular project hosted on GitHub. I don’t want to post that here, as it would further expose that email.

If you can’t find it, I’ll happily email you the link. I hope that puts your mind at rest a bit!

Thanks canuckjacq for looking into this! That clears it up then :slight_smile: Sorry for the bother!

1 Like