GitHub.com has taken the precautionary measure of rotating its private RSA SSH key after it was accidentally exposed in a public repository. Although the key was only briefly exposed, GitHub has replaced it to ensure the security of its users. GitHub’s Chief Security Officer and SVP of Engineering, Mike Hanley, stated that the exposure was not the result of a compromise of any GitHub systems or customer information, but rather the inadvertent publishing of private information.
While GitHub has no reason to believe that the key was abused, it has rotated the key as a necessary step to protect users from potential impersonation or eavesdropping. The exposed RSA key in question does not grant access to GitHub’s infrastructure or customer data, and the change only impacts Git operations over SSH using RSA. The old SSH fingerprint is still in use by multiple docs and software projects, so users should update their known_hosts file with GitHub’s new key fingerprint to avoid security warnings when making SSH connections.