GitHub 账号又被标记为垃圾了,今年第二次。Support 页面说可能会长达 14 个工作日才能得到回复(最近这个提示删了),实际上第一次 26 天(02/02~02/28),第二次长达 4 个月(07/04~11/08)我才收到恢复账号功能的回复,也就是说 2024 里面小半年的时间我的 GitHub 账号都处于别人不可见、我不能使用第三方应用(对我来说主要影响是 Vercel 得用别的 Git 平台或者 CLI)的状态。
第一次是今年 2 月。02/02 中午 12 点收到一封 GitHub 邮件提醒我 @Y5neKO 在我账户下的 Xalaok1 仓库提了一个 issue,内容是一个 Discussion 的链接,大意是他发现他的账号下多了一个叫 Y5neKO1 的仓库,并且 star 了一个陌生仓库,所有星标了这个仓库的用户都有一个 {user}1 的仓库。他应该给所有被盗号的用户都去提了 issue,在此对他表示感谢。
17:11 又收到 GitHub 的邮件:“GitHub 发现你的账号可能有可疑登录尝试,已强制重置密码。建议你立即更改强密码,并启用双因素认证来加强账号安全。检查近期账号活动、仓库及星标情况,如有疑问请联系 GitHub 支持。”于是我立即更改了密码。
21:48 我提了工单说明我已更改密码,但不知道为什么我开启了 2FA 但依然账号被盗,并且授权第三方应用受限,提示“You are marked as spam, and therefore cannot authorize a third party application.”
两周后 02/17 19:18 我又补了一段网上找到的言辞恳切的文案:“Dear sir or madam: I am writing to seek your help. My Github account has been flagged and my profile is hidden from the public. Similarly, I am also marked as spam, so I cannot authorize third-party applications. It brings me a lot of trouble. I would appreciate your help if you unlock the hidden profile as soon as possible. Thank you so much.”
又过了两周 02/28 16:27 终于收到了回复:
回复内容过长,点击展开查看
Hi Xalaok,
Thank you for taking the time to write in. I’m sorry for the time it has taken to get back to you—it was certainly longer than we would have liked.
We recently noticed that your GitHub account had a suspicious login. Out of abundance of caution, we’ve forced a password reset on your account. We’ve noticed that you’ve already accessed your account and reset your password, which is great! Thanks for taking the initiative to secure your account.
To protect your account from unauthorised access, please choose a strong and unique password for your account. We have a help article with some recommendations here:
https://docs.github.com/authentication/keeping-your-account-and-data-secure/creating-a-strong-passwordWe also strongly recommend taking the additional step to secure your account with two-factor authentication. The following guide provides step-by-step instructions:
https://docs.github.com/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication.While we can’t be certain as to how your account was compromised, a common cause is reusing credentials across multiple online services. An attacker can then obtain a list of email addresses and passwords from one compromised service, and use them to compromise accounts on another. Please note that while individual GitHub accounts may have been compromised via such means, GitHub itself has not been hacked or compromised.
Alternatively, it’s possible that one of your devices may be infected with malware capable of stealing passwords or browser session data. We’d advise reviewing your device security to ensure this isn’t the case.
During the account compromise, it appears that the bad actor starred a number of repositories but we have since unstarred any repositories that were not starred by you. Additionally, the bad actor created some repositories but we see that you have deleted the repository, thank you for doing that!
If you have any further questions or concerns, please don’t hesitate to reach out. We’re here to help.
Kind regards,
Lewis, SDG.
GitHub Support.
TL;DR:为了保护您的账户安全,请务必设置强密码,并启用双因素身份验证。账号被盗可能由于在多个服务使用相同的密码,或设备感染恶意软件。我们已经 unstar 了不是你 star 的仓库,并感谢你删除了攻击者恶意创建的仓库。注意,GitHub 平台本身并未遭到数据泄露。
第二次是 07/04。同样是因为那天 08:12 的提交 708b723 没有被 Vercel 获取发现的账号被限制。查了 Security Log 发现 06/25 02:44:26 有一个哈萨克斯坦的 IP,且 07/04 05:02:00 开始, 有一个伦敦的 IP 在我的账号内创建了 14 个仓库:Xalaok1 WinRar-Setup tenorshare-4ukey Sony-Vegas Solana-Sniper-Bot Filmora FL-Studio Reiboot-free Adobe-Premiere-Pro BNB-finder Adobe-Photoshop Adobe-Illustrator Adobe-After-Effects Adobe-Acrobat
20:35 提了工单,说明了上述情况
4 个月后😑,11/06 21:15 收到了回复:
回复内容过长,点击展开查看
Hi there,
Thank you for contacting GitHub Support.
We have cause to believe that your account may have been compromised and misused. In particular, malicious content may have been published using your account. We have placed restrictions on its visibility while we investigate further.
To assist us in this process, please review your account for any content that you don’t recognise. Your account’s security log may assist you in this process. During the review, please look out for two possibilities:
- new repositories, not created by you
- modifications to your existing repositories, not performed by you
If you identify new repositories that were not created by you, please first take note of their URLs, and then delete them by following our documentation here. Do not interact with any of the content in these repositories, as this may result in further compromise. Once you have deleted these repositories, please reply with a list of their URLs.
If you identify modifications to your existing repositories, you have two options:
- If you are happy to delete the repository (for example, if you have a backup, or you no longer need it), please do so and reply with a list of URLs for any repositories you have deleted.
- If you need to retain the repository, we can assist you in repairing it. Please do not attempt to modify or explore the repository content yourself. Instead, please send us the relevant URLs, and we will then share further instructions.
If you identify any other suspicious actions on your account, please also inform us of these in your reply. Alternatively, if you still require assistance and can’t locate any malicious or suspicious content, please let us know and we’ll take another look.
Additionally, if you missed this message and are unable to reply, you can start a new support request here: https://support.github.com/contact/cannot_sign_in
If you choose to create a new request, including this ticket number for reference will help us provide the necessary context: # NUM
We are working to resolve your case as soon as possible, and we thank you for your patience and cooperation.
Kind regards,
Lewis, SDG.
GitHub Support.
TL;DR:GitHub 支持团队发现你的账户可能被入侵并用于恶意活动,因此已限制账户可见性,并正在调查中。请检查你的账户,留意本人创建的仓库中是否有非你所为的提交,删除不是你创建的仓库后,在回复中告诉我们这些仓库的列表。
11/07 17:02 我回复了前面所说的 14 个仓库
11/08 01:27 终于收到了恢复账号功能的邮件:
回复内容过长,点击展开查看
Hi again,
Thank you for working with us to resolve this.
Upon review, we have lifted all the restrictions currently imposed on your account. Your account should be available again by now.
For your attention, this kind of unauthorized access often occurs as a result of reusing the same sign in credentials on multiple online services. An attacker is then able to obtain lists of email addresses and passwords from other online services that have been compromised in the past, and try them on GitHub. To note, GitHub has not been hacked or compromised.
Additionally, it’s possible that your system is infected with malware that can steal passwords and browser session data. I would like to suggest that you scan your computer for malware to protect against potential threats.
Regularly scanning your computer is critical to maintaining optimal cybersecurity. Therefore, I encourage you to make it a regular practice to scan your system at least once a week. Furthermore, it is essential to keep your anti-virus and anti-malware software up-to-date to safeguard against the latest threats.
As for this:
I have a question, are my stars going to be retained?
Yes they will, the stars removed will be those added by the bad actor.
If you have any further questions or concerns, please don’t hesitate to reach out. We’re here to help.
Kind regards,
Lewis, SDG.
GitHub Support.
TL;DR:您好,感谢您与我们合作解决账户问题。我们已解除您账户的所有限制。您的问题通常是由于在多处使用相同密码造成的。攻击者可以从其他被入侵的在线服务中获取电子邮件地址和密码列表,并尝试在 GitHub 上使用。注意,GitHub 并未被入侵。此外,您的系统可能感染了恶意软件,建议您扫描您的电脑以防潜在威胁。
两次的回复都强调了“账号被盗可能源于在多处使用相同密码或设备感染恶意软件”、“GitHub 并未被入侵”。但是我的密码是 Bitwarden 随机生成的强密码,而且 2FA 也开了,不知道为什么账号被入侵!难道是魔法有问题吗?
害,真不知道怎么防范,不知下次再被盗号会影响多久!😢