GitLab Password suddenly changed


I’ve just received an email from that my password had been changed.
And indeed, when I went to I’ve been logged off and my password was no longer valid.

I’ve immediately changed my password and received and email to “Reset my password” and I’ve followed the link and changed it.

Then I got an email yet again about a password change but this time it was me.

A few strange things:

  1. No email requesting my first password reset
  2. No unrecognised logins in the GitLab authorization log

Any idea how can I understand who had changed my password and whether my projects have been exposed?

Hi @prhing, welcome to the GitLab Community forum!

Your password was reset we detected a suspicious login on your account. You should be getting another email from us to explain these changes coming soon (if you’ve not already received it). Sorry for any confusion caused by the delay in notifications.

1 Like

I got the same email. I am kinda worried, because unfortunatly my email is on ihavebeenowned.

I have since removed existing keys and changed passwords.

Is it possible to know if my account settings and data was accessed, or did gitlab blocked it by being a “suspicious login” ?

I have got the same email and it made me worried

I received the same email at approximately the same time as @prhing. I am worried about that. Should I check/Is there any way I can check activities since the suspicious activity that GitLab mentioned in the email? Or is this just a batch security action taken by GitLab team on multiple potentially breached account? Checking the authorization log shows no unusual activities, though.

I received an email too, then 6 minutes after that I got an email that a suspicious activity has been detected.

Authorization logs showed nothing, Is there anyway to figure out if my data got downloaded?!

EDIT: so wait now that I’m reading this again @gitlab-greg did you mean that someone tried to access our accounts and gitlab immediately reset it, where we then got the password reset email, THEN we get the email that a suspicious login attempt detected? which means that a login never happened, which would explain why there’s nothing in the authentication log?

If so that’ll save me a lot of headaches, can you please confirm that this is the case?

Hi @orsanawwad, good questions, sorry for any confusion.

The two emails, “Suspicious login attempt detected” and “Password Reset” should’ve gone out simultaneously. There was a delay that caused the Password reset email to go out a few minutes before the Suspicious login account, which understandably caused security-minded folks to worry their account was hacked.

There was a suspicious login attempt on your account and the password reset was a precautionary measure. There is no evidence that any of your data was accessed or breached, just a login attempt on your account that we tied to a suspected credential stuffing attack. This is why there are no entries in the authentication log.

To add a layer of security and reduce risk of account compromise in the future, I suggest enabling 2FA on your account and always using strong, unique passwords.