Ask HN: Went to prison for 18 months, lost access to my GitHub. What can I do?
No synthesized answer yet. Check the discussion below.
But if the right GitHub account is compromised, we could see massive supply chain issues. Or a big important web service with millions of users affected.
The downside of making a wrong call here is just really really big.
There are real businesses being deployed from GitHub.
No offense, OP, but it seems easier to recover the email if you can prove physical identity.
Accusing somebody of theft? Perhaps the police would side with the non-felon..
This hits me hard. So you went to prison, and the person you trusted the most... turned out not to be trustworthy. Please hang in there and hope you meet (or have met already?) people you can rely on!
I'm very grateful for the many people in my life I can absolutely rely on.
The situation you are in is very unfortunate and I am sympathetic but in GitHub's defence, this is exactly what I hope would happen when I enable 2FA. I would be very perturbed to find out that GitHub would grant access to my account given identity documents. There are some creative solutions (e.g: a countdown to the reset with progressively more aggressive email notifications to ensure the account holder is aware) but even they are problematic. So, this sucks, but it's the price we pay for security.
The policies are rather draconian as others have mentioned. Anyone could be the victim of theft; mine just has an awkward paper trail attached to it.
edit: https://docs.github.com/en/site-policy/other-site-policies/g...
We need something better. I don't know what it would be.
Not unlike the signature cards banks used long ago, I guess.
Sure, maybe somebody motivated could defraud the government into issuing them a replacement ID in my name. But that’s big boy crime, not a casual “bribe a retail employee to SIM swap” kind of undertaking.
Sure, there are issues of access to government ID systems, and I know anything touching government names / “show me your papers” raises hackers’ hackles—I’m not saying require it, just that I’d choose it if it were a MFA option of last resort.
I'm at that point of agreement. I don't want to say "national SSO ID" because that can get really Orwellian obviously. Being able to put an ID on file is a reasonable ask.
Not already having a ton of easy and effective choke points on the whole citizenry (which such a card would eventually grow into due to its usefulness) is a safeguard against wannabe tyrants being confident they can crush dissent easily and thus to them seizing power in the first place. Just like I wouldn’t steal a car with a manual transmission because I know I wouldn’t be able to drive it successfully, and certainly not well enough to outrun the consequences.
If I were a fascist I’d be a lot more brazen if I knew that I could switch off every dissenter’s ability to travel, work, or even buy food, in an instant.
A fake ID is pretty easy to create, along with a fake face for a video chat where you can hold up your fake ID.
If I have the same physical piece of ID—as I imagine OP might have, upon release from prison—then they can directly compare it to the copy that I supplied previously. Scuff marks and specific document numbers included. I think that probably even scales.
If I lose access to my main identity document, one advantage of government ID is that I’ll urgently have it reissued. In most of the places I’ve lived, that’s the kind of thing you can validate against either the underlying authority or a sleazy-but-reasonably-accurate data broker. But in either case it’s out-of-band from my relationship with the tech company, in a way they can validate by semi- or fully-automated means, and with reference to an independent authority.
If somebody wants to physically mug me to steal my ID for access to my GitHub, I figure I’m pretty much out of luck—to paraphrase James Mickens [0], Mossad’s gonna Mossad.
[0] https://www.usenix.org/system/files/1401_08-12_mickens.pdf
Though now that I write this, it creates a perverse incentive for a company to collect deposits and deny account recovery.
Like my data center (not US based) has a process where if you lose all of the documentation proving that a server is yours, you can go on site physically with ID, and the police and/or national identity service will verify on the spot that your finger prints match what is on file for the ID. It costs something like $300 and you risk being arrested if you're a criminal.
GitHub is such a large attack vector for the whole planet, that I understand their stance.
GitHub support a "recovery code" more secure than government ID. Print it out, store on USB, store on QR, etc, and stick it in at least one secure safe.
Choosing a long, very secure password for your account works really, really well. GitHub hates this, however, and nudges toward less secure practices that are more likely to result in the sorts of compromises described in this thread.
Your best bet would likely be legal. US Federal law imposes some strict rules on lawyers for identity verification to combat money laundering so attorneys have a legally recognized toolkit to verify identity. Having a third party who works for you in the mix could help. Though again, it would involve breaking their policy so this would be a decision made several layers above Zendesk access.
Otherwise, I think this is doing precisely what 2FA is meant to do. It’s not okay for you and you’ve clearly lost a lot because of this, but with the current threat environment, GitHub has to be very careful especially with 2FA. From their point of view, there likely isn’t that big of a gap between your interactions and interactions with people who are trying to take over accounts. A lawyer may not work, but it sure changes that equation.
If you set up 2FA and then lose your 2FA, then that’s just life. Happens sometimes and you move on. GitHub absolutely doesn’t need to provide an in-person recovery service.
Maybe this would only work for new accounts as you'd probably need to provide identity information on before losing access.
- If the most important thing is control of the Ruby gems, reach out to RubyGems.org support
- for your projects, if you have are past collaborators on those repos, they can sometimes open GH tickets referencing the project and vouch for you. Doesn't guarantee success, but adds weight
- GH (being part of MSFT) does have some channels for escalated identity verification. Lawyers or notarized ID may be needed...possibly expensive, but sometimes the only way
GH support is extremely strict on account recovery once 2FA/backup codes are gone. I wish you luck!
A repo fork (and maybe more so the GitHub identify fork) is definitely not ideal but if your users can get updates to their packages, maybe it's best to move forward as well as possible.
I think the legal path is your best bet unless you know someone higher up. A legal path could bypass all the offshore IT helpdesk staff (making assumptions, MSFT is a giant mega-corp).
- Use Bitwarden or similar
- Set BW to recognize the Yubikey as one (of several, incl. TOTP ('Authenticator') code) second factor.
- On all other sites and services, generate passkeys (which are essentially virtual yubikeys) and save them in BW.
- In BW, save the password and TOTP. BW itself, on another device (or in a separate incarnation - e.g. the desktop app when authenticating the browser extension) is now your everyday means of authenticating to BW.
- BW-stored passkey is now your standard means of authentication for e.g. GitHub, Google, etc
- Put the yubikey in a safety deposit box
- Bravo, you have a very professional trust system
"In BW, save the password and TOTP. BW itself, on another device (or in a separate incarnation - e.g. the desktop app when authenticating the browser extension) is now your everyday means of authenticating to BW."
Can you rephrase it and be specific which passwords and TOTP you mean?
So, let's say you're sitting down in front of a fresh install of Bitwarden. You can go to your phone in your pocket and get the password and TOTP and then set Bitwarden to not require a password for 30 days.
Similarly, let's say you've installed the desktop app for Bitwarden but not yet the browser extension. You can look up the BW password and TOTP in the desktop app and use that to authenticate the browser extension. Or vice versa! T
It's not that hard, and you feel like a proper spy doing it ;)
Use an escrow or custodian (lawyer, bank, etc).
Denying access to some repo where you spent x hours on which can be resolved by them paying you y dollars * x hours. And then hoping a lawyer takes pitty on you and restores the account?
I've been thinking about how they could solve this, since they accept payments; wouldn't it be possible to request a payment with a specific reference code to verify the identity? Paired with any other required identification process, documentation, etc.
So you have to work around the policy issue.
Lost access to my phone, then went to Tarrant County jail awaiting trail (innocent until proven guilty but $250,000 bond where no humans or property harmed), and only was able to get a few G-M-@-1-L related accounts reset following a plea bargain to get back my freedom. Lots of corpses in that system. IYKYK.
What can you do? Ask nicely. Hope to escalate. First off though, think of Jack Handey...
If you lost your keys in lava, man, let 'em go, they're gone.
Good luck getting your access back.
I think it's likely that you wouldn't have legal grounds to force them to give you your data but it's an approach that would most certainly get their attention at a higher level than anything you're able to do from a customer service perspective.
You'd have to have some legal argument as to why they could be obligated to produce the records under subpoena but the standards for that could be quite low.
I understand if you can't get or won't get in contact with them, but I'm curious as to whether this was a random or someone taking advantage of you.
Edit: Nevermind, I saw your response to someone else.
Have you filed a police report? Do you know who this person is? Getting your stuff back might be easier than dealing with github support.
I tried the normal means (support tickets etc) to no avail. The third or fourth time I got someone in account recovery. There was a very formal process for verifying my identity (I'm sure based on the process this happens all the time). Eventually I they helped me recover my account. It probably took a few months on the whole, but once I got the right support rep it was only a week or so.
So my advice would be to submit more tickets. Because they might have a process that not all support agents know about, and some are more helpful than others.
Following this post, I have reviewed all my main accounts, created recovery codes, set up backups, and added alternative email addresses, among other tasks. Hope for the best.
In parallel, talk to RubyGems support about stewarding the gems if GitHub recovery stalls. They can add/transfer ownership with credible verification, so users aren’t stuck. Worst case, spin up a new GitHub, mirror the repos, and note the account transition in README/changelogs—plus a release on RubyGems pointing to the new home. Not ideal, but it keeps your users safe and the project alive while you push on account recovery.
3 more comments available on Hacker News