Hackers use fake CircleCI notifications to hack GitHub accounts

GitHub Accounts

GitHub has published a notice detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform.

The Microsoft-owned code hosting service said it learned of the Sept. 16, 2022, attack, adding that the campaign affected “many victim organizations.”

The fraudulent messages claim to inform users that their CircleCI sessions have expired and that they must log in using GitHub credentials by clicking on a link.

cyber security

Another fake email revealed by CircleCI invites users to log in to their GitHub accounts to accept the company’s new terms of service and privacy policy by following the link embedded in the post.

Regardless of the decoy, this redirects the target to a look-alike GitHub login page designed to steal and exfiltrate entered credentials along with one-time password (TOTP) codes in real time to the attacker, thus allowing a 2FA bypass.

Hack GitHub accounts

“Accounts protected by hardware security keys are not vulnerable to this attack,” GitHub’s Alexis Wales said.

Other tactics adopted by the threat actor while gaining unauthorized access to the user account include creating GitHub Personal Access Tokens (PATs), authorizing OAuth applications or adding SSH keys to maintain access even after a password change.

cyber security

The attacker has also been spotted downloading content from a private repository, and even creating and adding new GitHub accounts to an organization if the compromised account has organization management permissions.

GitHub said it took steps to reset passwords and remove maliciously added credentials for affected users, in addition to notifying affected individuals and suspending actor-controlled accounts. He did not reveal the scale of the attack.

The company further urges organizations to consider using phishing-resistant hardware security keys to prevent such attacks.

Latest phishing attack comes just over five months after GitHub suffered a highly targeted campaign that resulted in the abuse of third-party OAuth user tokens managed by Heroku and Travis CI to download private repositories.

You may also like

Leave a Comment

About Us

Times Global Will keep you updated To the Latest News Around The Globe..

Feature Posts


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Subscribe To our Newsletter

Join our subscribers list and get Latest News directly to your inbox.