Does anyone have any idea how the hardware key part worked? I was under the impression my yubikey would only send a key for a specific URL so there would be no way to just forward the key to actual github because it would be for the wrong domain.
some details on this breach: <a href="https://blog.gitguardian.com/dropbox-breach-hack-github-circleci/" rel="nofollow">https://blog.gitguardian.com/dropbox-breach-hack-github-circ...</a>