You may have seen the news towards the end of June that Gentoo, a fairly advanced Linux distribution, had its GitHub repository compromised after an attacker managed to gain access to one of the connected accounts. Now, Gentoo has published a comprehensive report about the incident and it turns out that the gaff was due to not following rudimentary security tips.
The report published by Gentoo includes an incident summary which details the impact, malicious content added to the repository, and the root cause - which, to sum up, was that the attacker correctly guessed an admin's password. In the report Gentoo wrote “Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages”, that sounds an awful lot like the “use a different password for every site” advice was ignored.
Gentoo also gave a brief explanation as to what it used GitHub for and the lessons it learned from the incident. It gave a detailed timeline of events, and most importantly provided a list of action items that it plans to implement.
The main actions that Gentoo plan to take, and that generally all readers should take too, include using password managers so that it’s easy to maintain different passwords for each site used, use two-factor authentication (2FA) for an extra layer of protection if the password is compromised, keep frequent offline backup of GitHub settings, remove accounts that no longer need access to the repositories, and find sponsors, such as the Linux Foundation, for 2FA hardware.
This is not the first incident that Gentoo has experienced, a quick look in the Neowin archive pulled up this article from 2003 when a hacked Gentoo server had to be taken offline. Hopefully, the new measures that Gentoo admins have taken will see further attacks mitigated for good.