ltrgoddard · April 14, 2026 22:23
diff --git a/github-email.txt b/github-email.txt
 Date: Tue, 14 Apr 2026 09:23:34 -0700
 From: GitHub Security <no-reply@github.com>
 To: Louis Goddard <louisgoddard@gmail.com>
 Message-ID: <69de6a0681681_1717fa110878942@github-lowworker-4c41d26.va3-iad.github.net.mail>
 Subject: Action needed: Rotate webhook secrets in your GitHub account
 Mime-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: quoted-printable
 X-Auto-Response-Suppress: All

 Hi ltrgoddard,

 We're writing to let you know that between September 2025 and January 2026,=
 webhook secrets for webhooks you are responsible for were inadvertently in=
 cluded in an HTTP header on webhook deliveries. This means that any system =
 receiving webhook payloads during this window could have logged the webhook=
 secret from the request headers. Webhook deliveries are encrypted in trans=
 it via TLS, so the header containing the secret was only accessible to the =
 receiving endpoint in a base64-encoded format. We have no evidence to sugge=
 st your secrets were intercepted. This issue was fixed on January 26, 2026.=
 Please read on for more information.

 User privacy and security are essential for maintaining trust, and we want =
 to remain as transparent as possible about events like these. GitHub itself=
 did not experience a compromise or data breach as a result of this event.=
 =20

 * What happened? *

 On January 26, 2026, GitHub identified a bug in a new version of the webhoo=
 k delivery platform where webhook secrets were included in an `X-Github-Enc=
 oded-Secret` HTTP header sent with webhook payloads. This header was not in=
 tended to be part of the delivery and made the webhook secret available to =
 the receiving endpoint in a base64-encoded format. Webhook secrets are used=
 to verify that deliveries are genuinely from GitHub, and should only be kn=
 own to GitHub and the webhook owner.

 The bug was limited to only a subset of webhook deliveries that were featur=
 e flagged to use this new version of the webhooks platform. The bug was pre=
 sent between September 11, 2025, and December 10, 2025, and briefly on Janu=
 ary 5, 2026. The bug was fixed on January 26, 2026.

 * What information was involved? *

 The webhook secret for each affected webhook was included in HTTP request h=
 eaders during the window that the bug was present. The webhook payload cont=
 ent itself was delivered normally and was not additionally affected. No oth=
 er credentials or tokens were affected. Webhook deliveries are encrypted in=
 transit via TLS, so the header containing the secret was only accessible t=
 o the receiving endpoint.

 If the receiving system logged HTTP request headers, the webhook secret may=
 be present in those logs. The webhook secret is used to compute the `X-Hub=
 -Signature-256` HMAC signature on deliveries =E2=80=94 if compromised, an a=
 ttacker who knows the secret could forge webhook payloads to make them appe=
 ar to come from GitHub.

 * What GitHub is doing *

 GitHub deployed a fix on January 26, 2026 to remove the `X-Github-Encoded-S=
 ecret` header from webhook deliveries. We then began a thorough investigati=
 on to identify all affected webhooks and their responsible owners.

 We are notifying all users who own or administer webhooks that were affecte=
 d during the window that the bug was present so they can rotate their webho=
 ok secrets.

 * What you can do *

 1. Rotate your webhook secrets immediately. While we have no evidence your =
 secrets were intercepted, the affected secrets should still be treated as c=
 ompromised. At the end of this email is a list of your affected webhooks =
 =E2=80=94 generate a new random secret for each one: https://docs.github.co=
 m/en/webhooks/using-webhooks/editing-webhooks

 2. Review your receiving systems. If the system receiving webhook deliverie=
 s logged HTTP request headers, purge those logs to limit further access to =
 the included secrets.

 3. Verify webhook signatures. After rotating the secret, confirm your recei=
 ving endpoint validates the `X-Hub-Signature-256` header using the new secr=
 et: https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-d=
 eliveries

 Note: if the webhook (or resource that owned the webhook such as a reposito=
 ry) has already been deleted, you can disregard that webhook in the list of=
 affected webhooks and do not need to take any action for it.

 Please feel free to reach out to GitHub Support with any additional questio=
 ns or concerns through the following contact form:

 [REDACTED]

 Thanks,
 GitHub Security
 <Reference # [REDACTED]>
	Date: Tue, 14 Apr 2026 09:23:34 -0700
	From: GitHub Security <no-reply@github.com>
	To: Louis Goddard <louisgoddard@gmail.com>
	Message-ID: <69de6a0681681_1717fa110878942@github-lowworker-4c41d26.va3-iad.github.net.mail>
	Subject: Action needed: Rotate webhook secrets in your GitHub account
	Mime-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: quoted-printable
	X-Auto-Response-Suppress: All

	Hi ltrgoddard,

	We're writing to let you know that between September 2025 and January 2026,=
	webhook secrets for webhooks you are responsible for were inadvertently in=
	cluded in an HTTP header on webhook deliveries. This means that any system =
	receiving webhook payloads during this window could have logged the webhook=
	secret from the request headers. Webhook deliveries are encrypted in trans=
	it via TLS, so the header containing the secret was only accessible to the =
	receiving endpoint in a base64-encoded format. We have no evidence to sugge=
	st your secrets were intercepted. This issue was fixed on January 26, 2026.=
	Please read on for more information.

	User privacy and security are essential for maintaining trust, and we want =
	to remain as transparent as possible about events like these. GitHub itself=
	did not experience a compromise or data breach as a result of this event.=
	=20

	* What happened? *

	On January 26, 2026, GitHub identified a bug in a new version of the webhoo=
	k delivery platform where webhook secrets were included in an `X-Github-Enc=
	oded-Secret` HTTP header sent with webhook payloads. This header was not in=
	tended to be part of the delivery and made the webhook secret available to =
	the receiving endpoint in a base64-encoded format. Webhook secrets are used=
	to verify that deliveries are genuinely from GitHub, and should only be kn=
	own to GitHub and the webhook owner.

	The bug was limited to only a subset of webhook deliveries that were featur=
	e flagged to use this new version of the webhooks platform. The bug was pre=
	sent between September 11, 2025, and December 10, 2025, and briefly on Janu=
	ary 5, 2026. The bug was fixed on January 26, 2026.

	* What information was involved? *

	The webhook secret for each affected webhook was included in HTTP request h=
	eaders during the window that the bug was present. The webhook payload cont=
	ent itself was delivered normally and was not additionally affected. No oth=
	er credentials or tokens were affected. Webhook deliveries are encrypted in=
	transit via TLS, so the header containing the secret was only accessible t=
	o the receiving endpoint.

	If the receiving system logged HTTP request headers, the webhook secret may=
	be present in those logs. The webhook secret is used to compute the `X-Hub=
	-Signature-256` HMAC signature on deliveries =E2=80=94 if compromised, an a=
	ttacker who knows the secret could forge webhook payloads to make them appe=
	ar to come from GitHub.

	* What GitHub is doing *

	GitHub deployed a fix on January 26, 2026 to remove the `X-Github-Encoded-S=
	ecret` header from webhook deliveries. We then began a thorough investigati=
	on to identify all affected webhooks and their responsible owners.

	We are notifying all users who own or administer webhooks that were affecte=
	d during the window that the bug was present so they can rotate their webho=
	ok secrets.

	* What you can do *

	1. Rotate your webhook secrets immediately. While we have no evidence your =
	secrets were intercepted, the affected secrets should still be treated as c=
	ompromised. At the end of this email is a list of your affected webhooks =
	=E2=80=94 generate a new random secret for each one: https://docs.github.co=
	m/en/webhooks/using-webhooks/editing-webhooks

	2. Review your receiving systems. If the system receiving webhook deliverie=
	s logged HTTP request headers, purge those logs to limit further access to =
	the included secrets.

	3. Verify webhook signatures. After rotating the secret, confirm your recei=
	ving endpoint validates the `X-Hub-Signature-256` header using the new secr=
	et: https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-d=
	eliveries

	Note: if the webhook (or resource that owned the webhook such as a reposito=
	ry) has already been deleted, you can disregard that webhook in the list of=
	affected webhooks and do not need to take any action for it.

	Please feel free to reach out to GitHub Support with any additional questio=
	ns or concerns through the following contact form:

	[REDACTED]

	Thanks,
	GitHub Security
	<Reference # [REDACTED]>
No results found