Tell HN: GitHub might have been leaking your webhook secrets. Check your emails.

19•ssiddharth•3h ago

Got an email from Github a few minutes back asking me to rotate my webhook secrets, the relevant portions of it below.

We're writing to let you know that between September 2025 and January 2026, webhook secrets for webhooks you are responsible for were inadvertently included in an HTTP header on webhook deliveries. This means that any system receiving webhook payloads during this window could have logged the webhook secret from the request headers. Webhook deliveries are encrypted in transit via TLS, so the header containing the secret was only accessible to the receiving endpoint in a base64-encoded format. We have no evidence to suggest your secrets were intercepted. This issue was fixed on January 26, 2026. Please read on for more information.

User privacy and security are essential for maintaining trust, and we want to remain as transparent as possible about events like these. GitHub itself did not experience a compromise or data breach as a result of this event.

What happened?

On January 26, 2026, GitHub identified a bug in a new version of the webhook delivery platform where webhook secrets were included in an `X-Github-Encoded-Secret` HTTP header sent with webhook payloads. This header was not intended to be part of the delivery and made the webhook secret available to the receiving endpoint in a base64-encoded format. Webhook secrets are used to verify that deliveries are genuinely from GitHub, and should only be known to GitHub and the webhook owner.

The bug was limited to only a subset of webhook deliveries that were feature flagged to use this new version of the webhooks platform. The bug was present between September 11, 2025, and December 10, 2025, and briefly on January 5, 2026. The bug was fixed on January 26, 2026.

What information was involved?

The webhook secret for each affected webhook was included in HTTP request headers during the window that the bug was present. The webhook payload content itself was delivered normally and was not additionally affected. No other credentials or tokens were affected. Webhook deliveries are encrypted in transit via TLS, so the header containing the secret was only accessible to the receiving endpoint.

If the receiving system logged HTTP request headers, the webhook secret may be present in those logs. The webhook secret is used to compute the `X-Hub-Signature-256` HMAC signature on deliveries — if compromised, an attacker who knows the secret could forge webhook payloads to make them appear to come from GitHub.

Comments

esher•3h ago

Got that too. My first reaction: Go to HN to understand what's going on. Where are the comments?

sph•2h ago

> webhook secrets for webhooks you are responsible for were inadvertently included in an HTTP header on webhook deliveries

LOL how does this even happen?

freakynit•2h ago

Same reaction of mine as well. I mean, how do you even fck up this way? ... I dont know why, but, this is giving me vibe-coded vibes.

Developer might have prompted to include some signature (definitely they didn't use this word, or else AI would not have messed this way) to verify the webhooks as being coming from legitimate source, and AI probably went ahead with the secret key itself :)

suralind•2h ago

How come it took them so much time to send this notification? I'm so fed up with their bs.

Sony Boss Urges Theaters to Stop 30 Minutes of Trailers and Ads Before Movies

How I made my skills update themselves

Amex Debuts Ace Developer Kit with Registered Agent Protection

A simpler, faster way to unlock 1Password

Show HN: Yggdrasil – Scoped architectural rule enforcement for AI-generated code

WCAG Issues That Cause 90% of Ada Lawsuits (+ How to Fix Them)

How We Use Claude Code and Build with Agents at Fiberplane

On the Shoulders of Capitalism [video]

How to Get Cheaper Lab Equipment

New Boutique in Cow Hollow Is Completely Run by AI, Which Manages Human Staff

The "AI Vulnerability Storm": Building a "Mythos-ready“ security program [pdf]

Show HN: Send physical postcards from your coding harness

Which country can claim steak?

Sindarov Wins Candidates with Round to Spare

Chinese Electrotech Is the Big Winner in the Iran War

Who sent you? – The agent identity crisis

Show HN: Monitor AWS activity and security events using CloudTrail

Court rules X must give privacy researcher access to personal data

What Would You See Changed in Haskell?

Why, After All These Years, MZI-Based Transistorlessness Might Finally Be Here

Show HN: Sk.illmd.com, a forum for talking about and showing off agent skills

Poking at AttnRes with NanoGPT

AI is flattening who we uniquely are

Truth Machine: PW Talks with Kevin Hartnett

Finding unusual machines in network scans

Nvidia slaps forehead: I know what quantum is missing – it's AI

AI platform that audits websites daily and tracks competitor SEO

Fake Linux leader using Slack to con devs into giving up their secrets

The cost of building a workflow editor on React Flow

Why Amazon Is Buying Starlink Rival Globalstar in $11B Deal