Microsoft-owned GitHub said it replaced its RSA SSH private key after it was briefly exposed in a public repository. The company said that the exposure was not a result of a breach, but rather the key was published accidentally.
“We discovered that GitHub.com's RSA SSH private key was briefly exposed in a public GitHub repository. We immediately acted to contain the exposure and began investigating to understand the root cause and impact. We have now completed the key replacement, and users will see the change propagate over the next thirty minutes,” the company said in a blog post.
GitHub also added that it has no reason to believe that the exposed key was abused and that the steps were taken “out of an abundance of caution.”
“At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected,” the company explained.
The disclosure comes nearly two months after GitHub revealed a security breach, where hackers stole encrypted code signing certificates for its Desktop and Atom applications after gaining access to a set of repositories of the afore mentioned apps. As a preventive measure the company has revoked the exposed certificates.
