CyberSecurityBoard
Sponsor Register Login

GitHub warns users to enable 2FA before upcoming deadline

GitHub is warning users that they will soon have limited functionality on the site if they do not enable two-factor authentication on their accounts.
In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code on GitHub.com must enable 2FA by January 19th, 2024.
This same warning is shown on the GitHub site after logging into your account, as shown below.
If you write or manage code on GitHub, this will apply to you.
The company has made this decision to protect accounts from being breached and code altered in supply chain attacks.
This change is only for GitHub.com, not for business or enterprise accounts.
If you haven't set up 2FA by the deadline, you'll find your access to GitHub limited.
GitHub has instructions to help you configure it easily.
After the January 19th deadline, users attempting to access GitHub.com without 2FA will be automatically directed to complete the setup.
Even after 2FA becomes mandatory, any configured Personal Access Tokens, SSH keys, and apps will still work.
If you want to make new ones or change your account settings, you must enable 2FA on the account.
GitHub offers various methods for enabling 2FA, catering to user preferences regarding using security keys, GitHub Mobile, authenticator apps, and SMS text messages.
To guarantee continuous access, activating at least two of these methods is recommended.
Users can manage their 2FA settings and explore additional methods in their security settings on GitHub.
If you've already enabled 2FA before January 19th, 2024, you're all set.
You can't turn off 2FA, but you can change your configured verification methods.
If you lose all your 2FA options, the only way back into your account is with your recovery codes.
New phishing attack steals your Instagram backup codes to bypass 2FA. Okta one-time MFA passcodes exposed in Twilio cyberattack.
Microsoft discovers critical RCE flaw in Perforce Helix Core Server.
Microsoft disrupts cybercrime gang behind 750 million fraudulent accounts.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 26 Dec 2023 21:06:28 +0000


Cyber News related to GitHub warns users to enable 2FA before upcoming deadline

GitHub warns users to enable 2FA before upcoming deadline - GitHub is warning users that they will soon have limited functionality on the site if they do not enable two-factor authentication on their accounts. In emails sent to GitHub users on Christmas Eve, the company warned that all users contributing code ...
6 months ago Bleepingcomputer.com
BT Misses Deadline For Huawei Equipment Removal - Carrier fails to completely meet UK government's year-end deadline, for removal of Huawei equipment from core network. The UK government's year-end deadline for BT to remove Huawei telecoms equipment from its core network has been missed. The ...
5 months ago Silicon.co.uk
MFA vs 2FA: Which Is Best for Your Business? - If a user falls for a phishing scam and their credentials are compromised, multi-factor authentication or two-factor authentication provide an additional safeguard against a breach. MFA uses authentication factors such as a pin, an SMS code, an ...
3 months ago Techrepublic.com
BT Risks Fine As Huawei Removal Deadline Nears - UK carrier BT is at risk of a fine as it nears 31 December deadline to replace Huawei equipment from its core network. BT Group is at risk of financial penalties from the UK government, as it looks set to miss the 31 December to replace equipment ...
6 months ago Silicon.co.uk
Twilio will ditch its Authy desktop 2FA app in August, goes mobile only - The Authy desktop apps for Windows, macOS, and Linux will be discontinued in August 2024, with the company recommending users switch to a mobile version of the two-factor authentication app. Authy is an authenticator app that allows users to set up ...
5 months ago Bleepingcomputer.com
GitHub Wants All Users to Enable 2FA Before the End of 2023 - GitHub, the omnipresent nexus for developers and their code, has embarked on a decisive initiative aimed at fortifying the security of the software supply chain. In a groundbreaking announcement, the platform has set forth a mandate for two-factor ...
6 months ago Cybersecuritynews.com
Mandiant says X account brute forced without 2FA protection The Register - Well, Mandiant's carefully worded response basically said it wasn't implemented. It didn't specifically point to the policy change X announced in February 2023, which was to disable SMS-based 2FA for users who didn't pay for Twitter Blue, but some ...
5 months ago Go.theregister.com
Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
6 months ago Securityboulevard.com
Haier hits Home Assistant plugin dev with takedown notice - Appliances giant Haier issued a takedown notice to a software developer for creating Home Assistant integration plugins for the company's home appliances and releasing them on GitHub. Haier is a multinational home appliances and consumer electronics ...
5 months ago Bleepingcomputer.com
2FA-less GitLab users vulnerable to account takeovers The Register - GitLab admins should apply the latest batch of security patches pronto given the new critical account-bypass vulnerability just disclosed. Tracked as CVE-2023-7028, the maximum-severity bug exploits a change introduced in version 16.1.0 back in May ...
5 months ago Go.theregister.com
GitHub code-signing certificates stolen - Another day, another access-token-based database breach. This time, the victim is Microsoft's GitHub business. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised ...
1 year ago Nakedsecurity.sophos.com
CVE-2021-32638 - Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token ...
1 year ago
CVE-2020-35800 - Certain NETGEAR devices are affected by incorrect configuration of security settings. This affects AC2100 before 1.2.0.72, AC2400 before 1.2.0.72, AC2600 before 1.2.0.72, CBK40 before 2.5.0.10, CBR40 before 2.5.0.10, D6000 before 1.0.0.80, D6220 ...
3 years ago
Payoneer accounts in Argentina hacked in 2FA bypass attacks - Numerous Payoneer users in Argentina report waking up to find that their 2FA-protected accounts were hacked and funds stolen after receiving SMS OTP codes while they were sleeping. Payoneer is a financial services platform providing online money ...
5 months ago Bleepingcomputer.com
GitHub, PyTorch and More Organizations Found Vulnerable to Self-Hosted Runner Attacks - Last July, we published an article exploring the dangers of vulnerable self-hosted runners and how they can lead to severe software supply chain attacks. GitHub itself was found vulnerable, as well as various notable organizations, such as PyTorch, ...
5 months ago Securityboulevard.com
New phishing attack steals your Instagram backup codes to bypass 2FA - A new phishing campaign pretending to be a 'copyright infringement' email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. Two-factor authentication is a ...
6 months ago Bleepingcomputer.com
CVE-2023-30853 - Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration ...
1 year ago
Blockchain dev's wallet emptied in "job interview" using npm package - The recruiter in question asked the developer to download npm packages from a GitHub repository, and hours later the developer discovered his MetaMask wallet had been emptied. Take-home job exercise empties dev's crypto wallet. Moments later, the ...
6 months ago Bleepingcomputer.com
Rely on Authy desktop apps? You have one month to switch your 2FA, or else - Like many others, I have been a long-time user of Twilio's Authy Desktop app, a part of the company's range of Authy two-factor authenticator apps for various platforms. I started using it because it allowed me access to my authentication keys on ...
4 months ago Zdnet.com
Tensorflow Supply Chain Compromise via Self-Hosted Runner Attack - Let's say TensorFlow wants to run a set of tests when a GitHub user submits a pull request. TensorFlow can define these tests in a yaml workflow file, used by GitHub Actions, and configure the workflow to run on the `pull request` trigger. One type ...
5 months ago Securityboulevard.com
APT Hackers Abusing GitHub - Hackers use GitHub to access and manipulate source code repositories. GitHub hosts open-source projects, and unauthorized access allows hackers to inject malicious code, steal sensitive information, and exploit vulnerabilities in software development ...
5 months ago Cybersecuritynews.com
Phishing Campaign Targets Instagram Users, Steals Backup Codes and Circumvent 2FA Protection - A recent phishing scheme has emerged, posing as a 'copyright infringement' email to deceive Instagram users and pilfer their backup codes. These codes, integral for the recovery of accounts, are used to circumvent the two-factor authentication ...
6 months ago Cysecurity.news
GitHub says hackers cloned code-signing certificates in breached repository - GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom. Code-signing certificates place a cryptographic stamp on code to ...
1 year ago Packetstormsecurity.com
Mandiant's X Account Was Hacked in Brute-Force Password Attack - Cyber threat intelligence giant Mandiant has shared the result of its investigation on its recent X account hijacking following a wave of crypto-related X account hacks. On January 3, 2024, the X account of Mandiant, a subsidiary of Google Cloud, was ...
5 months ago Infosecurity-magazine.com
CVE-2021-32724 - check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the [check-spelling action](https://github.com/marketplace/actions/check-spelling) enabled that triggers on `pull_request_target` (or ...
2 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)