Blackmailers target Git repositories

Currently, blackmailers target Git repositories on online services such as GitHub, GitLab and BitBucket. The hackers delete the repository or replace all the comments with a single message . That they have a copy on their server, pay a certain amount via BitCoin to get the data back. They give you 10days for the payment and treads that they will make your code public or use them otherwise.

Thread on StackExchange.

thread on StackExchange reports one of the cases. The victim was unsure how the attackers got access to his account. First, he thinks that they guessed the password through an old technique like a brute force attack.

GitLab responded on Friday (2019/05/03)  with a blog post on blackmail. Obviously, research has shown that for all affected accounts, the credentials were in plain text in a repository associated with the deleted one. Let’s have a look at their message.

“As a result of our investigation, we have strong evidence that the compromised accounts have account passwords being stored in plaintext on a deployment of a related repository. We strongly encourage the use of password management tools to store passwords in a more secure manner, and enabling two-factor authentication wherever possible, both of which would have prevented this issue.” – Kathy Wang, Senior Director, Security”


GitLab once again specifically calls for using strong and unique passwords. In addition, the operator recommends the use of two-factor authentication and the use of SSH keys.

Majority of developers have a local copy of their repository, so the damage is likely to be minimal in most cases. Since the attackers have made some changes to individual files in the repository instead of deleting the source code, the programmers should use the git command to reset to a pre-attack status, not just replace individual files. If you have a full copy of the repository, then you can restore the web repository by using the following command:

git push origin HEAD: master --force