GitHub found the bug was due to a rare condition in a backend request handling process that could have misrouted a user’s session to a different authenticated user’s browser, giving them another user’s valid and authenticated session cookie. GitHub said the problem wasn’t the result of compromised account passwords, SSH keys, or personal access tokens (PATs), and there’s no evidence to suggest this was the result of a compromise of any other GitHub systems. “Instead, this issue was due to the rare and isolated improper handling of authenticated sessions. Further, this issue could not be intentionally triggered or directed by a malicious user,” said Mike Hanley, CSO at GitHub.