On Tuesday the code repository GitHub contacted a number of users to warn that their passwords had been stored in plain text within internal logs due a flaw in their password reset system.
According to GitHub they discovered this flaw during “regular auditing” of their systems. Though this is concerning they claim that only a select few staff actually have access to those logs where the flaw was discovered. Those users who were affected were notified via email and asked to change their passwords to be able to regain access.
GitHub stores user passwords with secure cryptographic hashes (bcrypt), GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored securely in production. To note, GitHub has not been hacked or compromised in any way.
Below is a copy of the email that affected users received from GitHub