Someone at GitHub accidentally posted the RSA SSH host private key on the site. That’s why GitHub changed the key.

Do you want to hijack an SSH connection and impersonate GitHub? Then you need the RSA private key from the code repository. It allows you to do all sorts of naughty SSH-based things. This is precisely why it is important that a private key remains private. That makes it sad for GitHub and its users that someone accidentally posted the key on the site last week.

Publicly visible

The key was briefly visible in a public GitHub repository. That was the result of human error. GitHub emphasizes that the error has nothing to do with an attack, nor can a hacker use the GitHub key to compromise their own systems.

To be on the safe side, the Microsoft subsidiary has now exchanged its RSA SSH host key. This affects developers who communicate with GitHub via SSH and RSA. Many users get a message about the changed host key. In this case you have to delete your old public key and add a new public key. Meanwhile, RSA/SSH based actions will throw errors. GitHub itself provides more information on what to do in a blog post.