GitHub.com has rotated its private SSH key after it was accidentally published in a public GitHub repository. The exposure was brief, but as a precautionary measure, GitHub replaced the key. The RSA SSH private key for GitHub.com was discovered to have been exposed in a public repository, and steps were taken to contain the exposure and investigate the root cause and impact. GitHub’s latest public key fingerprints have been provided for users to validate their SSH connection. The timing of the incident is interesting, considering the recent rollout of secrets scanning for public repositories. GitHub assures users that no compromise of systems or customer information occurred, and the exposure was unintentional. The exact timeline of the exposure is unclear, but GitHub has no reason to believe the key was abused. However, rotating the key is an essential step to protect users from potential adversaries. Users are advised to update their known_hosts file with the new key fingerprint to avoid security warnings during SSH connections.
| Signal | Change | 10y horizon | Driving force |
|---|---|---|---|
| GitHub rotates exposed private SSH key | Key rotation for security | Improved security measures, better protection of user connections | Protection against potential adversaries |
| Unclear window of exposure | Uncertainty in timeline | Improved transparency, clearer timeline of key exposure | Better logging and security measures |
| Multiple docs and projects use old key | Need to update key fingerprint | Updated documentation, avoidance of security warnings | Updating security measures and best practices |