Unmasking password attacks at GitLab

Our security team has identified an increased volume of password attacks against GitLab.com on the OAuth API endpoint, starting on September 22, 2023. These attacks appear automated and are attempting to authenticate to multiple accounts that have simple usernames. While GitLab remains secure, we are increasing our security measures and are closely monitoring all activities to reduce the risk of account compromise.

GitLab Security continues to monitor the attacks and is confident that our security controls are effectively mitigating them. To prevent these activities from locking out your accounts, GitLab recommends you enable two-factor authentication. We recently implemented a product update to reduce the chances that accounts with two-factor authentication will get locked out.

We recommend the following precautions:

• Enforce GitLab-layer two-factor authentication for accounts in your GitLab namespace.
• Use the Restrict Group Access by IP Address feature, which allows you to specify the IP addresses from which users can access the group. It is a helpful measure to ensure that only individuals within the organization can access specific resources.
• Use Git Abuse Rate Limiting to automatically ban users who download, clone, pull, fetch, or fork more than a specified number of repositories of a group in a given time frame.
• The password attempts could evolve and target another endpoint in the future. We recommend using strong, unique passwords and changing them regularly.
• Be vigilant against phishing attempts and report any suspicious activities to our support team immediately.