Tracking epic - Detect & automate alerting for known compromised GitLab user account credentials
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
This is a public version of the confidential epic containing details of the work. Once released, that epic will be made public, so this only covers the high level context of the feature being introduced.
Credential stuffing attacks can post a risk to GitLab.com user accounts. Other organizations warn their users if a password they use is known to be compromised and that it should be changed. A great example of this proactive account protection mechanism is Zoom, as they publicly state that user passwords are matched against known compromised credential sets. If a user's password matches a known compromised password, Zoom will notify the user, and if no action is taken, Zoom will initiate a user log-out in an attempt to highlight this risk to the user.
Protecting our customers and users of the GitLab platform is of utmost importance, and proactively warning our customers and users if they are using a password that is compromised and could be used by an attacker is a protection mechanism that will build customer faith in our proactive security protection measures to keep GitLab and our customers safe. This feature introduces the capability for users on GitLab.com