GitHub Community
Boot.dev app added to account without authorization #170695
-
Select Topic AreaQuestion BodyThe Boot.dev app was added to my account without authorization, in what I assume was a hack of either my account or GitHub's app authorization process. There doesn't seem to be any way to report security issues to GitHub---none of the Support options clearly applies. How do I report a GitHub security breach? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
If an app got added to your GitHub account without you approving it, you should treat it as a possible account hack. First, remove the app from Settings → Applications → Authorized OAuth Apps, then change your password and turn on two-factor authentication. Also check your access tokens, SSH keys, and your security log |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, I already changed pw/added 2fa and revoked the app access. I just didn't see anyplace to report it to GitHub. I'll email security@github.com, but they really should have a prominent link for reporting security issues. The Support page has no guidance for this kind of issue, only "abuse and spam". |
Beta Was this translation helpful? Give feedback.
-
|
Update: turns out a contractor had been logged into the account and didn't realize it when authorizing Boot.dev. |
Beta Was this translation helpful? Give feedback.
If an app got added to your GitHub account without you approving it, you should treat it as a possible account hack. First, remove the app from Settings → Applications → Authorized OAuth Apps, then change your password and turn on two-factor authentication. Also check your access tokens, SSH keys, and your security log
for anything suspicious. To let GitHub know, you can email security@github.com
or report it through their HackerOne page When you report, include the app’s name, when it was added, and what you found in your security log so GitHub can properly investigate.