Software development tool GitHub will require more accounts to enable two-factor authentication (2FA) starting on March 13. That mandate will extend to all developers who contribute code on GitHub.com by the end of 2023.
GitHub announced its plan to roll out a 2FA requirement in a blog post last May. At that time, the company's chief security officer said that it was making the move because GitHub (which is used by millions of software developers around the world across myriad industries) is a vital part of the software supply chain. Said supply chain has been subject to several attacks in recent years and months, and 2FA is a strong defense against social engineering and other particularly common methods of attack.
When that blog post was written, GitHub revealed that only around 16.5 percent of active GitHub users used 2FAโfar lower than you'd expect from technologists who ought to know the value of it.
Popular discussion website Reddit proved this week that its security still isnโt up to snuff when it disclosed yet another security breach that was the result of an attack that successfully phished an employeeโs login credentials.
In a post published Thursday, Reddit Chief Technical Officer Chris "KeyserSosa" Slowe said that after the breach of the employee account, the attacker accessed source code, internal documents, internal dashboards, business systems, and contact details for hundreds of Reddit employees. An investigation into the breach over the past few days, Slowe said, hasnโt turned up any evidence that the companyโs primary production systems or that user password data was accessed.
โOn late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees,โ Slowe wrote. โAs in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.โ