The information came to light when the company today published the results of its investigation into April’s unrelated OAuth token theft attack, where it described how an attacker grabbed data including the details of approximately 100,000 npm users.
The code shack went on to assure users that the relevant log files had not been leaked in any data breach; that it had improved the log cleanup; and that it removed the logs in question “prior to the attack on npm.”
GitHub already sent out notifications for “known victims of third-party OAuth token theft” in April but today said it planned to “directly notify affected users of the plaintext passwords and GitHub Personal Access Tokens based on our available logs.”
Credentials in plaintext, eh? How very last century.
The number of users affected and how long the plaintext storage took place was not mentioned, but we’ve asked Github for more information. GitHub completed its acquisition of NPM Inc on 15 April 2020. Techies have already taken to the Hacker News messaging board to detail emails they received from npm.