Information clumsily scraped from some 8.2 million unique GitHub profiles was leaked online on last Saturday by IT recruitment platform GeekedIn via a vulnerability in MongoDB, according to security researcher Troy Hunt.
“This incident is not about any sort of security vulnerability on GitHub’s behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service,” wrote Hunt.
Hunt, a victim of the hack himself, found out about the leak when contacted by a trader selling the compromised file. Although Hunt’s GitHub profile only contained his email and location, others lost much more detailed data, including usernames, names, email addresses and work-related information. The data on GitHub was available to third parties for recruiting purposes only.
“Third parties frequently scrape public GitHub data for various reasons, such as research or archival purposes,” GitHub stated, when informed by Hunt about the breach. “We permit this type of scraping so long as any user’s personal information is only used for the same purpose for which they gave that information to GitHub. Using scraped information for a commercial purpose violates our privacy statement and we do not condone this kind of use.”