GeekedIn has reportedly leaked 8 million GitHub accounts that existed in one base data without MongoDB security. The website says it has at least a third of the base, and it's very likely that it's being traded elsewhere on the internet.
Security researcher Troy Hunt who runs the service Have I been Pwned? discovered the leaked base and sent it to GitHub.
A rough analysis of the file eventually revealed that:
- It contains 8.200.000 unique email addresses, meaning it accounts for about 8,2 millions of GitHub, Bitbucket users and, possibly, other online services.
- Most of these files contain user names, e-mail addresses, geographic location, professional skills, years of professional experience.
- All of this information is already out there online and accessible to anyone (GeekedIn has created its own database, and offers access on payment to Companies interested in developers)
GitHub has stated that it allows third parties to make its users' data available as long as it is used for the same purpose as uses and GitHub itself.
"Use of this information for commercial purposes violates our privacy statement and is not permitted," they told Hunt.
So he eventually managed to get in touch with GeekedIn, who recognized his mistake and promised to secure the data.
Hunt provided some of the data in raw form through his service. They include about one million GitHub users.
"This incident is not due to any kind of security vulnerability of GitHub, and is rather related to data on their site that someone recorded and then exposed to another service,"Hunt said.