"The most scary part of this is that anyone could have just looped through all of these keys just trying to SSH into GitHub to see the banner it gives you," Cox said Tuesday in a blog post. "It would be safe to assume that due to the low barrier of entry for this, the users who have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker."
In addition to their own repositories, some of the users with weak keys had access to third-party projects including "Spotify's public repos, Yandex's public repos, crypto libraries for Python, Python's core, Django, gov.uk public repos, Couchbase and a ruby gem that is used on a large amount of CI systems," according to Cox.
Cox said that GitHub was notified and revoked the keys affected by the Debian bug in early May and other low-quality keys in early June.
"If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time," Cox said in his blog post.
Sign up for CIO Asia eNewsletters.