GitHub logged me out of my account because of "password reuse"

[get]

So I have been using GitHub for quite a while.

When I tried to log in a couple of days ago, it told me my password is wrong. Which is impossible. I remember it. I wrote it down. It's the same as it was before.

Luckily I was able to get hold of the old outlook.com email I was using when I signed up. Haven't used Outlook in ages and it greeted me with a prompt to give them a phone number. I refused and luckily it told me that I can skip it for now but they will disable access completely in 7 days.

So I got a password reset link from GitHub. When I tried to use the same password again that I used before GitHub told me:

    The new password you provided has been
    reported as compromised due to re-use of
    that password on another service by you or
    someone else. GitHub has not been
    compromised directly. Your password was not
    saved. Please choose a stronger password.

So is this the reason for the lockout? That they somehow false-positively thought my password was reused somewhere?

It is impossible that it really has been used anywhere else. It is a long random-like password that I only used on GitHub. haveibeenpwned.com also comes back empty on my email.

How can I get more info about this?

What if I had let slip those 7 days Microsoft gave me to access my old email account? Would my access to my GitHub account be gone forever?

What do I do now to keep my account secure? I would never give Microsoft my phone number. So that's not an option for me.

[r721]

>If you are using a known-compromised password found in the HaveIBeenPwned.com database, you will be prompted to change your password after login or any other time you provide GitHub your password. Additionally, you will not be able to create or update an account with a known-compromised password.

https://blog.github.com/changelog/2018-07-31-new-improvement...

>Several years ago, security researcher Troy Hunt sought to tackle the compromised passwords problem with his HaveIBeenPwned.com project. While Troy hosts a service that people and services can use to check for compromised passwords, he also generously made the approximately 517 million record dataset available for download. Using this data, GitHub created an internal version of this service so that we can validate whether a user’s password has been found in any publicly available sets of breach data.

>Starting today, people using compromised passwords will be prompted to select a different password during login, registration, or when updating their password. Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us.

https://blog.github.com/2018-07-31-new-improvements-and-best...

[get]

As I said, my password has not been used anywhere else. haveibeenpwned.com comes back empty for it.

[detaro]

> How can I get more info about this?

Check their announcements, this might be it: https://blog.github.com/2018-07-31-new-improvements-and-best...

> What do I do now to keep my account secure? I would never give Microsoft my phone number. So that's not an option for me.

Keep the e-mail settings of your account up to date to accounts you actually use and have access to.

[newman8r]

Are you positive you didn't actually sign up for 2 github accounts and got mixed up on the login email, and then tried using the same password on the second account for the first?

[kristianp]

Is the password from a book or song? If so, someone else may have used it.