Hackers stole password hashes and email addresses from 100,000 npm users in April
Criminals stole usernames, hashed passwords and email addresses from approximately 100,000 npm users in the npm attack in April. The attackers used OAuth tokens that they stole from two external services.
With the OAuth token, the attackers were able to access npm repos, writes npm’s parent company GitHub† There they managed to gain access to AWS access keys. Within npm’s AWS infrastructure, the attackers managed to download older backups of the JavaScript developer platform npm, containing metadata and package manifests for all public and private packages up to April 2021. These include readme files, package version histories, maintainer e-mail addresses and package install scripts. The package artifacts themselves were not included.
This backup also contained an archive of npm user info from 2015. This contained login information for approximately 100,000 npm users. This includes usernames, email addresses and hashed passwords. Those passwords were hashed with PBKDF2 or with a salted SHA1 algorithm. GitHub says these weak hashing algorithms haven’t been used since 2017, when npm switched to bcrypt.
Npm has reset the passwords of these 100,000 users and they will be informed about the data breach by email. Since March this year, mail verification is mandatory for accounts without two-factor authentication. GitHub says it has no evidence that the attackers modified packages or published new versions of existing packages.
GitHub first wrote in early April about the OAuth security incident, where hackers used OAuth tokens from Heroku and Travic-CI. With this they downloaded data from private repos on GitHub. Heroku discovered that user passwords were stolen and then reset all user accounts.
Separate from the OAuth investigation, GitHub found that certain credentials were stored in plaintext with an internal logging system for npm services. This concerns a ‘small number’ of passwords. GitHub emphasizes that there is no evidence that attackers had access to this data and that it could only be seen by GitHub employees. GitHub will notify those affected, have deleted the data and say it has improved its process for cleaning up logging data.