[ygcodes]

Yes I have 2FA and MFA enabled!

[minxomat]

Another vector is takeover requests via their name squatting policy (that's how I got my username). But those requests shouldn't be approved unless the old account really is inactive. Might have been approved by mistake.

Another vector is the as of yet unfixed GitHub "ghost" bug, which I discovered and detailed here: https://github.com/git-rest/spooky

Note how you can read that repo, but the account https://github.com/git-rest doesn't exist.

[bibinou]

OP got his 2-letter handle via a takeover request: https://dev.to/yg/how-i-got-two-letter-username-on-github-i1...

edit: the ghost repo is cool trick. Is there a writeup anywhere?

[gus_massa]

The OP changed his username in github less than a month ago to to the name of an inactive account? Perhaps the previous user is complaining.

[aptwebapps]

Yeah, but it's not like he did something nefarious. He found an account that was inactive and requested it from support and they gave it to him. If the previous user complained, either he would get to keep it or the previous user would get it - it wouldn't be deleted/disabled and they probably would have communicated something.

[thephyber]

The ghost repo trick sounds similar to a subdomain takeover. I can foresee this being a vector for publishing malicious code.

[subins2000]

does this mean that if I pass away, someone can take over my username and repos under my account ?

[minxomat]

No, from my experience even a single empty repo disqualifies you from takeover. The point is to prevent name squatting, i.e. registering a name and then going nothing with it.