@VishnuDfx discovered that password reset tokens were being sent to GitHub’s Google Analytics account when a user clicked on a password reset link. If an attacker had access to GitHub’s Google Analytics account, they could use an unused password reset token to change the password of the associated user. We addressed the vulnerability by sanitizing the URL sent to Google Analytics on the password reset page.