Yesterday, GitHub users were automatically logged out of their accounts after their sessions were invalidated in order to protect accounts from a potentially dangerous security vulnerability. Last week GitHub received reports that they were being targetted by suspicious behaviour from an external party.
This suspicious behaviour related to a rare race condition vulnerability. The vulnerability was rerouting GitHub users to the web browser of other logged-in users. This meant that the users who were being rerouted were given access to another user’s account. Therefore, in order to protect users, GitHub was logging out all users that were signed in before March 8th, 12:03 UTC.
On Friday GitHub remediated the security flaw, and the process of invalidating user sessions was the final step in patching the bug.