According information the webσελίδα GeekedIn leaked 8 million GitHub accounts that existed in a base data without MongoDB security. The website says it has at least a third of the base, and it's very likely that it's being traded elsewhere on the internet.
The security researcher Troy Hunt who directs the service Have I been Pwned? discovered the leaked base and sent it to GitHub.
A rough analysis of the file eventually revealed that:
- It contains 8.200.000 unique email addresses, that is, it records approximately 8,2 million users GitHub, Bitbucket, and possibly other online services.
- Most of these files contain user names, e-mail addresses, geographic location, professional skills, years of professional experience.
- All of this information is already on the internet and accessible to everyone (GeekedIn has created its own database, and offers paid access to companies interested in developers)
GitHub has stated that it allows third parties to access their users' data as long as they are used for the same purpose as GitHub itself.
"Use of this information for commercial purposes violates our privacy statement and is not permitted," they told Hunt.
So he eventually managed to get in touch with GeekedIn, who recognized his mistake and promised to secure the data.
Hunt provided some of the data in raw form through his service. They include about one million GitHub users.
"This incident is not due to any kind of security vulnerability of GitHub, and is rather related to data on their site that someone recorded and then exposed to another service,"Hunt said.