| The public key can be derived from the private key They then check both certificate transparency to see if the public key matches any certificates that have been generated, and to see if it's used by a github user (will this public key let me in to a github repo) If neither, then it's not sensitive (well it might be, but only like finding a key on the floor in the street is -- won't do you much good without knowing where you can use it) In the first case, if you have the private key, you can spoof the website In the second case, if you have the private key, you not only have push access to the repos that user has (which could be quite wide ranging), but also you're likely able to get into many servers via SSH, as developers tend to use the same ssh key for github and for server access What their latest software does is take your key and check it against these sources, Now private keys have a further layer of protection - the passphrase. Turns out the majority of passphrases belonging to the leaked private keys are trivial ones. Many leaked keys will unlikely to be used anywhere, but it turns out many more are. |