Comment by ZoFreX

Security vulnerability 3: Websites could sniff passwords of users with password-saving browser extensions. If the extension autofills the username and password (and some do out of the box), then a bit of javascript on a GitHub Pages site could have stolen those users' Github passwords.

Excellent move on GitHub's part here.