Hi,
On 12 February 2017, I got an email from Bitbucket: "we detected a suspicious login to your Bitbucket Cloud account. We believe that a malicious actor used a large database of usernames and passwords stolen from third party services to access Bitbucket Cloud accounts. We can't know exactly how your password was first compromised, however it was not caused by Atlassian."
Wow. That's huge for me:
I was using the same password for almost all services (except of Gmail): GitHub, Bitbucket, a lot of web services. In term of security, that's "bad". I know... but it is convenient...
I had a few different password that I stored in clear text in a text file which was hosted on a private repository on... Bitbucket
While *now* I'm quite sure that the hacker only succeed to log in but didn't notice my password file, it was a good "opportunity" to upgrade my security...
By the way, I suggest you to subscribe to https://haveibeenpwned.com/ which is a service to be notified if one of the service that you are using have seen "pwned".
Using victor.stinner@gmail.com you can see "Breaches you were pwned in: Dailymotion (october 2016) and GeekedIn (August 2016)". (There is also a pastebin with my email, but it's just statistics on Mercurial, nothing sensitive :-))
The question is no more if you have been hacked, but how much time do you have before one of the services that you are using will be hacked... haveibeenpwned.com only reference a few breaches that has been made public...
It was an electric shock for me. I immediately changed the password of the most critical services for me: GitHub, Bitbucket and many others. I generated a random password of +10 characters (using KeePassX). I started to use KeePassX password manager to stop storing passwords in clear text, with a master passphrase to encrypt all these passwords.
I also acquired a Yubikey Nano. It's 50$. You may think that it's expensive. But the question is more how much do you estimate all your data of all your computers? Less than 50$, seriously? :-)
The next step was to enable 2-factor authentication on GitHub and Bitbucket:
- Configure the yubikey to generate an OTP for GitHub (for "long press" on the key)
- Firefox: install https://addons.mozilla.org/fr/firefox/addon/u2f-support-add-on/ to use Yubikey with GitHub (sadly, the plugin doesn't work with Bitbucket nor Google yet)
- Enable 2-factor auth on GitHub and Bitbucket using Yubikey
- Print two-step recoverty codes on paper and keep it safe somewhere
If you cannot affort a Yubikey, don't or cannot use it, you may want to use FreeOTP: free OTP application for a smartphone (I'm using it on Android), usable with GitHub, Bitbucket, Google, etc. It's not exclusive, you can have multiple 2-factor keys (Yubikey, FreeOTP, something else).
Oh, my explanation makes the assumption that you all already enabled 2-factor auth on your email, right? :-) If you wasn't aware: email is simply the *most* critical part of your whole online data. If a hacker gets access to your email, you already lost all your online accounts...
For Gmail users: you may have a look at https://myaccount.google.com/security as well. Maybe remove old services that have access to your Google account?
After the hack, I also generated a new SSH key, even if it wasn't stored online and is encrypted by a passphrase. Just because I was using the same key since many years. I chose to use the new modern ed25519 key format. It uses an elliptic curve rather than RSA, it's a different kind of security. While I don't know if it's more secure, I read that it's faster :-)
https://en.wikipedia.org/wiki/EdDSA
I was able to use this new key formats on all services... except Launchpad.
Changing a private SSH key isn't easy:
- You have to install the new SSH on most services that you are using
- You have to manually remove the old SSH key from *all* services that you are using (there is no global "SSH revokation" service...)
- I used ~/.ssh/known_hosts to get most services, but also updated GitHub, Bitbucket, etc.
- There are a few other services like psf-salt/psf-chef where you may also want to see your SSH key updated
- The question is then if the old SSH key must be removed... the problem is that I never tried to keep track of services that I'm using through SSH, so I decided to keep the old SSH key (outside ~/.ssh). In practice, I'm only using my new SSH private since longer than 6 months and I was never blocked.
I also had trouble to get working SSH agent on Gnome for my ed25519 key, but I succeeded to enable the regular ssh-agent using systemd --user. Tell me if you want instructions for this part as well.
Victor