Ask HN: Went to prison for 18 months, lost access to my GitHub. What can I do?

110 points by joshmn ↗ HN
Hi friends,

The skinny is this: I went to prison, all my personal items were stolen IRL and the same person changed a bunch of my passwords. Subsequently, I can't recover my GitHub account.

I have recovered most of my digital assets by proving I am me. Recovering my GitHub has proven to be more painful than Google's treatment regarding my Google Workspace.

I have the original phone number associated with my account, and can verify a bunch of private repos that are associated with my account—even the number of commits on one of them (almost 6900). I can't, however, provide any 2FA codes or backup codes because they are printed on paper that has, I assume, been destroyed.

I maintain two relatively popular Ruby packages that have gone stale since I've been gone, and there are projects my GitHub there that I was working on prior to my incarceration—including a SaaS I had hoped to launch post-prison and two books I was ready to publish. Having said, just opening another account isn't exactly the option I want to take.

I've opened a ticket, but I'm getting the "shit out of luck because we don't know you are you" treatment. I understand that security is important, but if one can prove they are them, what's the point?

Are there other avenues I have that I haven't explored yet?

34 comments

[ 2.8 ms ] story [ 60.8 ms ] thread
unfortunately, the techniques you are trying in order to get access to a dormant Github account are EXACTLY the same ones that github gets spammed with every day by bad actors attempting supply chain attacks. You don't have anything that proves your identity any more than any rando on the internet in Github's eyes at least. Everything you have presented here may be convincing enough to me, but probably not to GitHub's opsec policies.
Get a lawyer and contact GitHub through legal means.
What law do you think is relevant in this situation?
No idea, which is why I recommend talking to a lawyer and not random people on the internet. Anecdotally I have heard stories of people successfully recovering web accounts via court order.
Is there a phone number associated with the account? How does GitHub want you to prove that you're you?
> I can't, however, provide any 2FA codes or backup codes because they are printed on paper that has, I assume, been destroyed.

The situation you are in is very unfortunate and I am sympathetic but in GitHub's defence, this is exactly what I hope would happen when I enable 2FA. I would be very perturbed to find out that GitHub would grant access to my account given identity documents. There are some creative solutions (e.g: a countdown to the reset with progressively more aggressive email notifications to ensure the account holder is aware) but even they are problematic. So, this sucks, but it's the price we pay for security.

I haven't any help to offer, but want to say that this post along with reading your site the other day has shown a level of composure and resiliency that i aspire to.

Good luck getting your access back.

Thoughts of the top of my head:

- If the most important thing is control of the Ruby gems, reach out to RubyGems.org support

- for your projects, if you have are past collaborators on those repos, they can sometimes open GH tickets referencing the project and vouch for you. Doesn't guarantee success, but adds weight

- GH (being part of MSFT) does have some channels for escalated identity verification. Lawyers or notarized ID may be needed...possibly expensive, but sometimes the only way

GH support is extremely strict on account recovery once 2FA/backup codes are gone. I wish you luck!

You could initiate some kind of legal action to access your data. You'd need a lawyer.

I think it's likely that you wouldn't have legal grounds to force them to give you your data but it's an approach that would most certainly get their attention at a higher level than anything you're able to do from a customer service perspective.

You'd have to have some legal argument as to why they could be obligated to produce the records under subpoena but the standards for that could be quite low.

I'm perpetually worried (and partially prepared) for this sort of scenario, as more of my accounts require 2FA. I dread the day I lose or break my phone, have my items stolen, there's a weather disaster etc. I try to make my hobby repos public and/or backed up in multiple places as a hedge.
FWIW I had a similar conundrum with Slack. I had set-up my business Slack workspace in college; 4 years after graduation my university changed policies (they used to forward name@edu => name@alumni.edu).

I tried the normal means (support tickets etc) to no avail. The third or fourth time I got someone in account recovery. There was a very formal process for verifying my identity (I'm sure based on the process this happens all the time). Eventually I they helped me recover my account. It probably took a few months on the whole, but once I got the right support rep it was only a week or so.

So my advice would be to submit more tickets. Because they might have a process that not all support agents know about, and some are more helpful than others.

Why not create a new account and fork your old repositories? You can restart with updating your old projects and overtime you’d build back up that reputation. I’d also add a note that you were the previous author and lost access to the repositories.
> all my personal items were stolen IRL and the same person changed a bunch of my passwords.

Have you filed a police report? Do you know who this person is? Getting your stuff back might be easier than dealing with github support.

thief changed your github password? why? how did he get get access to your github account ?
Maybe, depending on where you are in the world, you could make some kind of GDPR request to get access to your data, even if you don't recover your account?
Do you personally know the person who stole all of your items and accounts?

I understand if you can't get or won't get in contact with them, but I'm curious as to whether this was a random or someone taking advantage of you.

Edit: Nevermind, I saw your response to someone else.

There are alarming statistics about phone snatching in London. Plus, we are NOT OUR PHONES. Doesn't GitHub have a way for people to verify and prove somebody's identity? Given that's a fact, isn't it best to disable 2FA and stop recommending it to people?

Following this post, I have reviewed all my main accounts, created recovery codes, set up backups, and added alternative email addresses, among other tasks. Hope for the best.

What you might consider doing is try contacting Ruby Central, or whoever it is that runs Ruby Gems. Even if they can't/won't give you access to the account, I'm wondering if they could/would freeze publishing updates to these gems until the account "owner" proves they are who they say they are. That way they don't risk giving control to someone who is hard to verify (you) and they prevent malware from being uploaded by the person who now controls your email until they verify the you are (which obviously they shouldn't be able to do).
I wonder if you can make a creative small claims court claim against them.

Denying access to some repo where you spent x hours on which can be resolved by them paying you y dollars * x hours. And then hoping a lawyer takes pitty on you and restores the account?

WELCOME TO TANGENTIAL INJUSTICE!

Lost access to my phone, then went to Tarrant County jail awaiting trail (innocent until proven guilty but $250,000 bond where no humans or property harmed), and only was able to get a few G-M-@-1-L related accounts reset following a plea bargain to get back my freedom. Lots of corpses in that system. IYKYK.

What can you do? Ask nicely. Hope to escalate. First off though, think of Jack Handey...

If you lost your keys in lava, man, let 'em go, they're gone.

It sounds like you trusted someone you shouldn't have. This person wouldn't happen to be someone who also has spent some time in prison?
(comment deleted)