GitHub Notification Spam and Disabling Auto-Watch on UnrealEngine GitHub Forks.

Hey all,

Recently, we’ve been made aware that a number of you have had an influx of GitHub emails from a fork of Unreal Engine that you’re watching due to the fork owner granting the organization write access.

To prevent receiving further updates on the repo, click the little Bell icon by your profile pic, choose the Watching tab and select “Unwatch” on the repos you wish to no longer receive notifications from.


To avoid this in the future, head to your GitHub account settings, select "Notifications, and uncheck the “Automatically watch repositories” option:


In the short term, you can also filter messages from [EMAIL=“”] in your email client to avoid the current clutter. You’ll want to revert that filter once you’ve made the above edits so you’ll still receive notifications on repos you do want them from.

If you have any questions, let me know!

This is more than just watcher spam though. It is malicious intent. I hope Epic is talking with Github because this seems like something that shouldn’t happen.

We are in talks with GitHub about how to avoid this sort of behavior in the future.

Thanks for your concern, John!

I got like 100 emails from github. And I wasn’t watching teardemon’s repos at all - never heard of him before.

This needs to be taken seriously. This leaked a large number of emails for people and was almost certainly malicious in nature. It’s not a “oops” change your settings type of event.

The original fork is gone, we can’t remove ourselves from it (unless that was done automatically).

I’m still being added to new forks created from forks created from it. I’ve been added to about 14 different forks now.

Github doesn’t seem to be on the ball.

Temporarily disabled the auto-watch, but that doesn’t solve the issue, it just stops the symptoms (like the US medical industry!). Need to sort out the root cause of it all.

I agree, I know people are trying to find someone to blame but in all honesty this isnt the first time Ive been spammed through Github thanks to being associated with Epic on there. The way I see it is this person must have had both an Epic and Github account, that there is no real checks on anyone creating Epic accounts (Github Im alittle less concerned about for obvious reasons) and no sort of protections like account aging.

The issue I see is that Epic are adding features to the launcher to protect their login servers while not protecting account creation process barely at all, now you want to make it easy for people to sign up but you need to think about your 2 million active users too whose security is important. Im just glad this exploit wasnt that far reaching and I think Epic do need to take security seriously because next time an “oops, here fix these settings” might not be enough :cool:

Some people … just … grrhhh… I am still getting these bogus subscribes. Some are 404, but some are forks with gibberish user names.

Me either. The solution listed above isn’t really workable, I’m not watching any repos other than my own organization’s, and can’t turn off notifications because of my day job. I guess the only real short term solution is to leave Epic org until GitHub gets it’s act together

Did it actually leak out anyone’s email details? The spam was annoying for sure, but I wasn’t aware of any private information being released.

Thanks, Chance Ivey. Was wondering why all those emails were coming in randomly.


I was ADDED to these … never even heard of them before. Clearly malicious.

EDIT : While typing this I was auto subscribed to 6 more forks and received 93 more emails

See what I mean?

This thread took a strange turn…

thread about spam gets spam post? that’s just genius :wink:

Ahahaha irony. I love it.

So yea… my inbox has been filled with this ff-ed up spam as well.
So besides getting about 10-20 answerhub spams a day from spambots saying I can now watch finding dory, get my male reproductive organ enlarged, or play pokemon go in a semi asian language, I am now automatically subscribed to random repo’s and get a brickton of updates whenever someone adds a new dot or comma to it.
I am afraid it wont be long until i am being pulled into a digital all sausage bitbucket filling festcontest that promotes watching dory while playing pokemon go.

This is just frustratingly annoying.

[MENTION=14973]Chance Ivey[/MENTION]: Reducing spam is just hiding the symptom, the problem is that push access is being granted to strangers in an unsolicited way.

Totally get it Leszek! We’re working with GitHub to see what other provisions can be put into place to avoid this sort of behavior in the future. When developers are part of an organization and have “Automatically watch repositories” enabled, this will occur. Stay tuned for more info about how we can improve quality of life here!