Microsoft, GitHub, GitLab, and BitBucket revoke insecure SSH keys

Microsoft, GitHub, GitLab, and BitBucket revoke insecure SSH keys

Microsoft Azure DevOps, GitHub, GitLab, and BitBucket, four of the largest code hosting portals to date, have all issued a mass recall of SSH keys following a report about a vulnerability in GitKraken, a popular Git software client.

The decision to revoke SSH keys was made after GitKraken engineering team contacted Git hosting service providers about the issue. The bug, which was discovered in late September by the GitKraken team, resides in the open source SSH key generation library that was implemented in GitKraken versions 7.6.x, 7.7.x, 8.0.0, released between 5-12-21 and 9-27-21.

The vulnerability exists due to an error in the pseudo-random number generator used by keypair to generate RSA keys for SSH connections. A remote attacker can generate duplicate SSH keys and gain unauthorized access to the affected systems.

The vulnerability was fixed with the release of GitKraken 8.0.1. However, the GitKraken team has warned that users who upgraded to a new version will still need to replace their GitKraken generated keys if they were generated in the affected versions.

Users who are not sure what version they used to generate their SSH key, are recommended to renew the key by doing the following:

1. Remove all old GitKraken-generated SSH keys stored locally.

2. Generate new SSH keys using GitKraken 8.0.1, or later, for each of your Git service providers.


Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025