GitHub account recovery codes accessed
Description
AlphaSOC detected access to GitHub account recovery codes. Account recovery codes serve as backup authentication methods when primary authentication methods are unavailable. While recovery code access may occur during legitimate account recovery scenarios, threat actors may also target these codes to gain persistent access to GitHub accounts and bypass multi-factor authentication.
Impact
Adversaries who obtain access to recovery codes can potentially take control of GitHub accounts, access private repositories, steal source code and secrets, modify code, and maintain persistence even if primary credentials change. These actions could result in intellectual property theft, code tampering, and supply chain compromises.
Severity
| Severity | Condition |
|---|---|
Low | GitHub account recovery codes accessed |
Investigation and Remediation
Review GitHub audit logs to determine where the recovery code was accessed from and identify the associated user account. Verify whether access originated from authorized users or devices. If unauthorized access occurred, reset all recovery codes, revoke active sessions, enable stronger authentication controls, and audit repository access history for signs of compromise.