You say that, but resetting all the sessions is very publicly visible and plenty of smaller companies would paper over such things. Honestly I don't really expect any less from Github or Microsoft scale but don't kid yourself into thinking that kind of things goes un-noticed, un-investigated or un-actioned elsewhere.

To the contrary, I find my session tokens get reset left and right by websites that don’t even care about how much of an inconvenience it is for the customers.

Personal opinion: Clear cookies every time you stop the browser process, which basically is at least once a day.

Logs you out of all services. It‘s a nightmare as a user, but I don‘t want to stick those tracking to cookies around longer than a single day.

If your concern is tracking, clearing the cookies doesn't help much. Next day you will login on the same services and websites that you logged before, and if they share data with 3rd parties they will keep sharing it, with or without cookies.

Firefox can do this automatically. Options > Privacy & Security > check the box "Delete cookies and site data when Firefox is closed".

Anything you intentionally want to retain can be added to the exceptions list.

"Delete cookies and site data when Firefox is closed" has always bothered me; it should be "Delete cookies and site data when Firefox is opened", because abnormal termination is not "closing", and you'd still want the cookies deleted when you start up again.

That way I'd lose the GDPR opt-outs from the number of sites I've gone through the process.

Perhaps I should just accept the consent and remove cookies regularly, instead of being careful with the consent forms... Hmm, good idea.

Yes, for sure. I use cookie autodelete to remove all cookies as soon as the tab is closed, so nothing lingers.

Yeah, I don't visit GitHub that often, maybe once a week but it logs me out every damn time. I wonder if it's because I have 2FA setup or something.

Is it really that hard to log in again? Using a password manager it's basically two clicks to autofill the right account and hit the submit button.

Login limits are a good thing. It means that the chances of someone taking over your account and using it long term is minimized.

It is not. But a ton of sites seem to be inconsistent about it, or it feels that way at least. Some sites I frequent don't log me out for months at a time, and then suddenly they do. And then they do it again a few weeks later. Followed by multiple months of not doing it once more.

I use a food delivery service (website only, no app) that doesn’t even remember the chosen language setting, and of course, never keeps you logged in past 24hrs. So effectively, need to login every time I make an order...

That happens to me even on YouTube. Every couple of months I have to fix the language setting and switch back to dark theme. What can't be fixed are Google's weird attempts at auto-translating video titles from other languages, making me click on videos that I simply cannot understand. Don't do that, Google. Do full title, thumbnail and video translation with 90% accuracy or just...don't. Half-assed tech is easy but not helpful for anyone.

This is my biggest pet peeve about delivery service websites. What are the chances that I've moved house since I last ordered a pizza two days ago? Why do you incessantly ask for my postcode? When I log in, assume I'm the same person at the same address. If I have moved and accidentally order to the old house...well that's on me and I'd have to be pretty stupid (or hungry) to do such as thing.

I mean they could do both.

Default to last postcode but display it on the confirmation screen "Sending your Pizza to LE13 XYZ" - amazon does it right (as you'd mostly expect)

Because Discord doesn't let you change avatars I have created three different Discord accounts. I get logged out of all three all the time. It's a massive pain.

Huh ? You can change your avatar in discord settings...

Maybe part of the sentence is missing and they meant change avatars _per server_? That would be the only reason I can imagine someone might want to have multiple accounts.

Obviously if they are logging all actions of all users, and there's some decent retention period, they can find out how many people got unintended access and what all they did with it. Recently, I got an advice from a C-level executive to include such analytics in ASPSecurityKit [0], because that's what companies are looking for these days. This GH incident makes me consider his suggestion more seriously.

0: https://ASPSecurityKit.net

This points to the last A in AAA of security which stands for Authentication, Authorization & Accounting, AAA moniker is commonly used in reference to either RADIUS or Diameter (network protocols), the concept is widely used for software application security as well. So Accounting implies What resources were accessed, at what time, by whom, and what commands were issued?