GitHub's RSA SSH Private Key Leaks! Was It a Breach?

Should you worry about it?

By

GitHub's RSA SSH private key was accidentally leaked to the public, as confirmed by the code hosting platform's CEO, Mike Hanley.

GitHub's RSA SSH Private Key Accidentally Leaked to Public! Is This a Breach?
An engineer from the Israeli company "Commun.it" uses his expertise in social media commercial analysis to identify networks of fake users during at the group's office in the Israeli city of Bnei Brak near Tel Aviv on January 23, 2019. Photo credit should read JACK GUEZ/AFP via Getty Images

"This week, we discovered that GitHub.com's RSA SSH private key was briefly exposed in a public GitHub repository," he announced via his official blog post.

Hanley, who is also GitHub's SVP of Engineering, said that they quickly contained the exposure and investigated the root cause of the issue.

GitHub's RSA SSH Private Key Accidentally Leaked to Public!

According to The Register's latest report, the latest GitHub leak was not caused by a security breach.

Ticketek Australia Hit by Cybersecurity Breach, Confirms Customer Details Exposed
Australia's Ticketek is reportedly the latest firm to suffer a cybersecurity breach that exposed its users' data. Photo by Sean Gallup/Getty Images

Instead, the RSA SSH host key was exposed to the public because of a plain, old human error.

Because of this simple accident, the Github.com RSA SSH private key was leaked into a public GitHub repository.

Although this might seem alarming, Hanley clarified that the private key leak doesn't affect the web traffic to GitHub.com and HTTPS Git operations.

He added that it doesn't grant access to their customer data or infrastructure.

However, the RSA SSH host key exposure can still affect developers since it can cause connection errors and send warning messages.

Thankfully, GitHub was able to fix the problem on Mar. 24.

What GitHub Users Should Do

Mike Hanley said that GitHub users relying on GitHub's ECDSA or Ed25519 keys don't have to worry about anything.

But, if you receive the warning message "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!," then developers need to remove the old private key they are using.

The GitHub CEO said that developers can remove their old key by running the command "$ ssh-keygen -R github.com."

If you want to see the other steps provided by Hanley to replace the leaked private key host, just click here.

Here are other stories we recently wrote about cybersecurity:

Security experts claimed that ransomware attacks are focusing on undermanned U.S. rural hospitals.

Meanwhile, the fake "ChatGPT for Google" Chrome extension allegedly steals Facebook accounts.

For more news updates about code leaks and other cybersecurity topics, always keep your tabs open here at TechTimes.

Tech Times
Article owned by Tech Times | Written by Griffin Davis Photo owned by Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags:GitHub
Join the Discussion
Most Popular
Real Time Analytics