Researchers from CWI Amsterdam and from Google proved for the first time it is possible to have two different documents with the same SHA-1 value. The teams were able to do this with two different PDFs.The SHA-1 hashing algorithm is outdated but many applications still support it including Github. What this means essentially is that you can take a secret document, Document A, and alter its data (bits) to effectively create a new document, Document B. You could hash both documents with SHA-1 and get the same hashed value (BHGUYU^%$&^$*^&!). Let’s say someone was sending Document A across the Internet but while en route, the document was altered to create Document B. The recipient, expecting to receive Document A, would not know the difference based on the hashed value. If you are encrypting your data based on SHA-1, don’t be too scared right at this moment, however. It took the team 9,223,372,036,854,775,808 SHA-1 computations, 6,500 years of CPU time, and 110 years of GPU time to create the matching hashed values. Most people aren’t able to do this in their basement…..yet.
https://www.theregister.co.uk/2017/02/23/google_first_sha1_collision/