To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and contact us by Email at email@example.com with your Git login and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your code is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your code public or use them otherwise.
That is the note you find in your favorite private github or gitlab repository, the hackers leave a small note. They force-pushed a different commit with the note to the HEAD of the master branch, making it look like your entire commit history is gone when in fact it's not gone a few tweaks you can recover the entire repository back.
How did they do it?
It is good to note that this is not a targeted attack but a random, bulk attack, carried out by a script, that probably scans for
.git/config which includes the remote URLs and people added username:password in it which should never be the case - people should use SSH, deploy keys or authenticate on each pull. Never store your credentials in a config file. Use the credential helper(s).
The hackers after only request for 0.1 which is equivalent to $572.3 at current conversion rate. According to Bitcoinabuse the address was reported over 27+ times and know doubt continue to be reported.
How to recovery from the breach
No doubt the first thing you want to do is bring back your code back before putting on more deffences.
git push -u origin master -f && git push --tags -f from your local clone to push all references for master, tags and so on to the remote and then enable 2FA in your account. If more branches are affected use
git push -u --all -f. It is highly recommened to enable 2FA so please enable 2FA to decrease the possibility of such attacks.
Both Github, Gitlab and Bitbucket dispatched emails to accounts which they assume were affected, and measures to continue securing them.
Securing your repos
- Enable 2FA
- Don't store credentials in
- Use SSH, deploy keys or authenticate