Singling out GitHub seems silly. If you're on GitHub, have a .gitconfig with name + email, and you've made a commit, then that's all public.<p>If a site uses your Gravatar, game over: Gravatar's literally a raw MD5 of your email with the aim to give you a globally identifiable avatar. That's been known (documented!) for a long time and unlikely to be a surprise to many of us here.<p>The only place this is likely to be an issue is when a site knows you but you assume you're anonymous. If you're using a web service where you want to be anonymous, connecting anything with your identity is a bad idea.
Isn't this public knowledge? "Oh no! 'Hackers' have my oh-so-sacred email address! Yeah, that thing on all of my sites, business cards, dozens of whois records, resumes, speaker decks, the Dominoes online ordering system, and so on... What shall I ever do?"<p>I'd seriously question their talent if they weren't able to find it.
The article title is link bait. The article is about Gravatar, and GitHub only matters because it utilizes Gravatar.<p>(Your email address may be visible in all sorts of other ways on GitHub, such as when someone does git log on a public git repository.)<p>If you're worried about your Gravatar being matched to your inflammatory (i.e., trolling) Hacker News or WordPress comments, you probably should be using a separate email account and Tor and whatnot.
the gravatar email recovery hack has been known for years, they are recycling an old topic.<p>luckily my email isn't a secret as I publish it everywhere willingly.