My account is hijacked. How long should it take for github support to response to a support request?

I sent a support request to Github about my account having been hijacked last Wednesday. My username “crass” in case someone from github sees this. I got an email saying that my password had been reset, then another saying github saw a login from an unrecognized location. Next an email I’ve never seen was added to my account and the emails on my account were removed. So in the span of 5 minutes, I’ve been locked out of my account. I’ve send emails to support with no response. It doesn’t appear that the hijacker is doing anything with the account, but its hard to tell. I’d like to at least get my account suspended/frozen until this can be properly resolved, so the hijacker can’t do anything (more) destructive.

Also, I sent my support request from the email that the hijacker removed. Could it be that the request is not being handled in a timely manner because it can not be automatically associated with an account now? Anyone know how I can get a quicker response from github?

Sorry people can be terrible. I can’t say on how quickly github can respond but you could do a few things to protect yourself and others while this gets sorted out:

  • Grab a copy of all your repos, as long as you have a local copy you can always revert all their changes (force pushing over history just to be sure)
  • If you are part of a github organization or a collaborator on anyones projects reach out to the maintainers and ask them to temporarily remove you from the org/repository.

I am gonna reply later but to start I can am gonna fork all your repos and clone them locally for safe keeping.

Alright now that I have forked your repos they should be safe, though I can’t really help you with any private repos. Once you regain control of your account I reccomend the following security measures to prevent and minimize risk in the future:

1 Like

Thanks @majormoses. I had a 16 character random password.  Somehow they were able to do a password reset.  I had two emails associated with the account, one was hosted by google, which I don’t think they have access to. The other was an email that shouldn’t actually be in service anymore.  So I’m not sure how they did a password reset.  Perhaps some DNS poisoning allowed them to get the reset email?

Sadly, I did not have 2FA on the account, which should have prevented this.  I’ve spent a day adding TOTP to other important accounts I have, which I should have done a while back.  I don’t trust SMS 2FA either because of some horror stories I’ve read with attackers porting people’s phone numbers to access accounts. Until I get keys, I’ve been using authenticators with TOTP.  Also, I’ve been thinking that I need to sign all my commits too and I actually have a keybase account, just haven’t set it up properly.  Thanks for the suggestion!

I’ve also backed up my much of my github account (repos, gists, wikis, issues, pull requests).  What are you using to backup accounts?  I’m using GitHub-Backup, to which I’ve ported over some features of python-github-backup. Unfortunately,since I’m doing this from another account, there’s a lot I can’t get access to (as you know). Also, I can’t access which projects I’m collaborator on, so I’m not sure the full set of projects to contact!  I wonder why this info is only accessible by the account ower. Collaborator info can be seen in comments made by the user on projects, so what’s wrong with just getting a list?  I’m failing to see the negative security implications.

Thanks for the helpful advice!

1 Like

Hi @dead-prez,

Nasty situation you found yourself in :frowning:

You should have received a reply from support a few minutes ago, they’ll deal with it.

1 Like

I had a 16 character random password.  Somehow they were able to do a password reset.  I had two emails associated with the account, one was hosted by google, which I don’t think they have access to. The other was an email that shouldn’t actually be in service anymore.  So I’m not sure how they did a password reset.  Perhaps some DNS poisoning allowed them to get the reset email?

 

Another possibility is that they registered the domain if it ever lapsed, I have seen that happen with companies that went out of business. I also have multiple emails and you can choose to lock down recovery to only specific emails so even if say you leave your work email associated if the domain is ever up for sale it wont be possible to abuse. You can configure this here https://github.com/settings/emails.

I’ve also backed up my much of my github account (repos, gists, wikis, issues, pull requests).  What are you using to backup accounts?  I’m using GitHub-Backup, to which I’ve ported over some features of python-github-backup. Unfortunately,since I’m doing this from another account, there’s a lot I can’t get access to (as you know).

 

I actually don’t use anything custom to backup my repos, git by its very nature means that there are always multiple copies of them across multiple machines. Since I sign my commits I can always know what to revert without having to inspect the code itself. While I was poking around in the interface I saw https://help.github.com/en/articles/requesting-an-archive-of-your-personal-accounts-data in  https://github.com/settings/admin which I don’t recall seeing before. I can’t find an API from a quick search but that might be interesting to be able to have a call make a backup of all repos, metadata, etc. It looks like those projects may actually be a good idea for my org in case anyone does manage to accidentally do something bad. We have safeguards in play for this but you can’t truly stop an admin short of revoking.

Also, I can’t access which projects I’m collaborator on, so I’m not sure the full set of projects to contact!  I wonder why this info is only accessible by the account ower. Collaborator info can be seen in comments made by the user on projects, so what’s wrong with just getting a list?  I’m failing to see the negative security implications.

 

I imagine the reason that you can’t get the list of repos someone collaborates on is to make it harder to socially engineer and then target collaborators on high value projects. In my case I mostly tend to be a collaborator on larger organizations with lots of repositories rather than them all spread out across users though I do have a few of those. I keep all of them checked out and pull them from time to time as well. One option is to query the list of all public pull requests you have made https://github.com/pulls?utf8=%E2%9C%93&q=is%3Apr+author%3Acrass+archived%3Afalse+ while this does not tell you exactly which ones you have “commit bit” on it can probably help jog your memory.

Anyways glad to hear that Github reached out and that they are helping (or hopefully helped you already).